- Elliptic says 2025 thefts have already smashed records.
- Funds believed to help bankroll Pyongyang’s nuclear programme.
North Korea’s state-backed hackers have already stolen over $2 billion in cryptocurrency this year — setting a new record — with three months still to go.
Blockchain analytics firm Elliptic said the regime’s total crypto haul has now topped $6 billion, marking what experts describe as one of the most sustained and profitable cybercrime campaigns in history.
“The actual figure may be even higher,” Elliptic wrote, explaining that it had only included heists it was certain was conducted by North Korean hackers.
The firm attributed the bulk of the losses to the $1.5 billion hack against crypto exchange Bybit in February. Other publicly attributed hacks include attacks on LND.fi, WOO X, and Seedify, while Elliptic said it has connected more than 30 additional hacks to North Korea.
The sheer scale of the thefts underscores how deeply North Korea’s government now relies on crypto crime to fund its nuclear and missile programmes, according to the United Nations and several Western intelligence agencies.
The stolen funds, routed through a maze of blockchain wallets and mixing services, represent one of the regime’s few reliable sources of foreign currency amid international sanctions.
The $2 billion haul dwarfs previous years, nearly tripling 2024’s total, and surpassing the $1.35 billion stolen in 2022 during high-profile attacks on Ronin Network and Harmony Bridge.
The human factor
Elliptic said most 2025 losses came from crypto exchanges, but noted a rising trend of high-net-worth individuals being targeted through “social engineering attacks, where hackers deceive or manipulate individuals to gain access to cryptocurrency.”
This marks a clear shift from earlier attacks that exploited technical vulnerabilities in protocols.
“The weak point in cryptocurrency security is increasingly human, rather than technical,” the firm warned.
Social engineering has become a defining tactic of North Korea’s Lazarus Group, which has been linked to phishing campaigns and fake job offers sent via LinkedIn and other platforms to lure developers and executives into opening malware-infected files.
Monitoring
Elliptic detailed increasingly sophisticated methods, including multiple rounds of token mixing and cross-chain transactions, the use of obscure blockchains with limited analytics coverage, and creating and trading tokens issued directly by laundering networks.
An example traced from the Bybit hack showed stolen funds moving across Bitcoin, Ethereum, and Tron blockchains, using several cross-chain services to obscure their origins.
The report concludes that despite North Korea’s growing sophistication, blockchain transparency still provides a critical investigative edge, and stresses that every stolen coin onchain leaves a trace.
“North Korea may be adapting its tactics, but with advanced forensic capabilities, the crypto industry and law enforcement are well placed to detect and trace these threats.”
Lance Datskoluo is DL News’ Europe-based markets correspondent. Got a tip? Email at lance@dlnews.com.
