North Korea Stole $2.02 Billion in Cryptocurrency During 2025

New analysis confirms that North Korean state-sponsored hackers dominated cryptocurrency theft in 2025, stealing an estimated $2.02 billion and accounting for more than three-quarters of all cryptocurrency service compromises this year. The February breach of exchange Bybit alone netted $1.5 billion, marking the largest crypto theft in history.

TL;DR

What happened: DPRK-affiliated threat actors stole $2.02 billion in cryptocurrency during 2025
Who's affected: Cryptocurrency exchanges, DeFi platforms, and individual crypto holders worldwide
Severity: High impact - 76% of 2025 exchange compromises attributed to North Korean actors
Action required: Crypto platforms should review security controls; users should implement strong account protection

The Scale of North Korean Crypto Crime

The numbers paint a stark picture of North Korea's cryptocurrency theft operations:

$2.02 billion stolen in 2025 alone
76% of cryptocurrency service compromises attributed to DPRK actors
$6.75 billion cumulative total from North Korean crypto theft operations
$1.5 billion from a single incident—the Bybit exchange breach in February 2025

These figures establish North Korea as the dominant force in state-sponsored cryptocurrency theft, far exceeding the activities of other nation-state actors in this space.

The Bybit Heist: Largest Crypto Theft in History

The February 2025 breach of Dubai-based cryptocurrency exchange Bybit stands as the largest cryptocurrency theft ever recorded. Attackers, swiftly linked by the FBI to North Korea's Lazarus Group, extracted approximately $1.447 billion worth of Ethereum (ETH) in a single operation.

The Bybit incident alone represented roughly 72% of North Korea's 2025 cryptocurrency theft total, demonstrating the outsized impact that a single successful operation against a major exchange can have.

While specific technical details of the Bybit compromise remain limited, Lazarus Group operations typically involve:

Sophisticated social engineering targeting exchange employees
Exploitation of vulnerabilities in exchange infrastructure
Manipulation of smart contracts and bridge protocols
Long-term reconnaissance before executing the theft

Who is the Lazarus Group?

Lazarus Group is North Korea's most infamous state-sponsored hacking collective, operating under the country's Reconnaissance General Bureau. The group has been active since at least 2009, initially focusing on espionage and destructive attacks before pivoting to financially-motivated operations.

Notable Lazarus Group operations include:

2014 Sony Pictures hack: Destructive attack following the release of "The Interview"
2016 Bangladesh Bank heist: $81 million stolen via SWIFT messaging system compromise
2017 WannaCry ransomware: Global ransomware outbreak affecting hospitals, businesses, and government agencies
2022 Ronin Bridge attack: $620 million stolen from the Axie Infinity gaming platform
2025 Bybit breach: $1.5 billion cryptocurrency theft

The group operates multiple subunits with specialized capabilities, including APT38 (financial theft), Bluenoroff (cryptocurrency targeting), and Andariel (espionage operations). Recent campaigns show Lazarus using ClickFix social engineering through fake job interviews to target cryptocurrency company employees.

Why Does North Korea Target Cryptocurrency?

North Korea's aggressive cryptocurrency theft operations serve multiple strategic purposes:

Sanctions Evasion

International sanctions severely restrict North Korea's ability to conduct legitimate international trade and access the global financial system. Cryptocurrency provides a mechanism to generate revenue outside sanctioned channels.

Weapons Program Funding

U.S. and international intelligence agencies have concluded that stolen cryptocurrency directly funds North Korea's nuclear weapons and ballistic missile programs. The UN Panel of Experts has documented the connection between crypto theft and weapons development.

Regime Stability

Beyond weapons programs, stolen cryptocurrency helps fund the broader North Korean regime, including luxury goods for the elite and general government operations.

Low-Risk, High-Reward Operations

Compared to traditional espionage or military operations, cryptocurrency theft offers massive potential returns with minimal risk of physical confrontation or attribution consequences.

Why This Matters

The scale of North Korean cryptocurrency theft has implications beyond the immediate financial losses:

National Security Concerns

Billions of dollars flowing to a hostile nation-state supports weapons programs that threaten regional and global security. Every successful theft contributes to North Korea's military capabilities.

Cryptocurrency Industry Legitimacy

High-profile thefts undermine confidence in cryptocurrency platforms and may slow mainstream adoption. Regulatory responses to security failures could impose additional compliance burdens across the industry.

Attribution Challenges

While the FBI and other agencies have attributed these thefts to North Korea, recovering stolen funds remains extremely difficult. The decentralized nature of cryptocurrency enables laundering through mixers, chain-hopping, and other techniques.

Protecting Against State-Sponsored Crypto Theft

Cryptocurrency platforms and users can implement measures to reduce risk from sophisticated threat actors.

For Exchanges and Platforms

Implement defense in depth with multiple security layers protecting hot and cold wallets
Enforce strict access controls including hardware security keys and multi-party authorization for large transactions
Deploy behavioral analytics to detect unusual activity patterns
Conduct regular penetration testing including social engineering assessments
Maintain incident response plans specifically addressing theft scenarios

For Individual Users

Use hardware wallets for significant cryptocurrency holdings
Enable all available security features including MFA and withdrawal address whitelisting
Be skeptical of unsolicited contacts particularly job offers or investment opportunities
Distribute holdings across multiple platforms to limit single-point-of-failure risk

Frequently Asked Questions

How does North Korea steal cryptocurrency? DPRK actors use various techniques including social engineering against exchange employees, exploitation of platform vulnerabilities, manipulation of DeFi smart contracts, and supply chain attacks against cryptocurrency software. The Lazarus Group is known for patient, multi-month operations.

What happens to stolen cryptocurrency? Stolen funds typically move through mixing services, are exchanged for privacy coins, or are laundered through chains of transactions designed to obscure their origin. Some funds eventually convert to fiat currency through complicit exchanges or over-the-counter trades.

Can stolen cryptocurrency be recovered? Recovery is difficult but occasionally possible. Law enforcement has recovered portions of some high-profile thefts when funds were traced to exchanges with cooperative relationships. However, the majority of stolen cryptocurrency is never recovered.

The FBI, Treasury Department, and cryptocurrency analysis firms continue to track North Korean cyber operations and stolen fund movements.