North Korea has intensified its cyber campaign against the global cryptocurrency industry, making 2025 the most costly year on record for digital asset theft linked to the country. Security researchers say the surge reflects a sustained and increasingly sophisticated effort by Pyongyang to generate revenue as international sanctions tighten.
According to blockchain analytics firm Chainalysis, hackers affiliated with the Democratic People’s Republic of Korea (DPRK) stole more than $2.17 billion in cryptocurrency in the first half of 2025 alone. That figure already exceeds the total amount stolen in all of 2024, placing this year firmly on track to become the worst ever for crypto-related theft tied to a single state actor.
Much of the activity has been attributed to well-known groups such as Lazarus, which are believed to operate under state direction. Analysts say these operations are closely linked to the regime’s efforts to fund strategic programs, including its nuclear ambitions.
Historic breaches highlight growing scale
The most significant incident this year occurred on February 21, when hackers breached crypto exchange Bybit and drained nearly $1.5 billion worth of Ethereum. The attack stands as the largest single crypto theft in history and marked a turning point in the scale of DPRK-linked cybercrime.
That breach was followed by a series of additional attacks, including a recent $37 million hack targeting South Korea’s Upbit exchange. Together, the incidents underscore the persistence and reach of North Korea’s cyber operations, despite growing international pressure and sanctions.
“North Korea will always seek new ways to steal funds on behalf of the regime, whether through fiat or crypto,” said Andrew Fierman, head of national security intelligence at Chainalysis.
He noted that these networks are highly adaptive, operating across multiple jurisdictions and constantly refining their methods.
More complex attacks and faster laundering
Chainalysis reports that DPRK-linked hackers have expanded beyond direct exchange hacks, increasingly targeting supply chains and third-party service providers such as custodians and IT vendors. In parallel, North Korean operatives continue to infiltrate companies by posing as legitimate remote workers, particularly in the AI, blockchain, and defense sectors, to gain internal access.
Once funds are stolen, laundering has become faster and more complex. Investigators have observed the use of mixing services, over-the-counter brokers, chain-hopping, token swaps, decentralized exchanges, and cross-chain bridges to obscure transaction trails. Fierman said a defining feature of recent operations is the simultaneous use of multiple laundering channels to move funds quickly and make tracking more difficult.
Looking ahead, experts warn that advances in artificial intelligence could further strengthen these tactics. AI tools could help hackers create more convincing fake identities and automate laundering processes, increasing both speed and sophistication.
Industry-wide defenses seen as critical
While sanctions remain a key tool, experts caution they are not enough on their own. Fierman emphasized the need for coordinated action across the crypto ecosystem, including exchanges, analytics firms, and law enforcement agencies.
Practical steps, he said, include enhanced due diligence such as mandatory video interviews, stronger identity checks, IP and geolocation monitoring, and tighter controls on opaque payment methods. These measures can help companies identify suspicious access patterns and block potential North Korean operatives before damage is done.
“Illicit activity will continue as long as crime exists,” Fierman said. “But when intelligence is shared quickly and responses are coordinated, illicit actors have far fewer opportunities to succeed.”
