North Korean crypto hacks escalate in record year of theft and laundering
In a year marked by unprecedented cyber aggression, hackers from the Democratic People's Republic of Korea have plundered cryptocurrency platforms for billions, further cementing their status as the industry's most prolific thieves.Driven by the regime's need to fund its nuclear weapons amid tightening international sanctions, hacker groups like Lazarus have refined their tactics to continuously exploit vulnerabilities in the global blockchain and crypto sector. The scale of North Korea's crypto operations in 2025 has shattered previous records. Chainalysis said North Korea-affiliated hackers stole more than $2.17 billion in crypto during the first half of 2025 — surpassing the total for all of 2024 and marking the worst year-to-date on record.The crown jewel of this year's heists was the Feb. 21 breach of Bybit, where hackers siphoned nearly $1.5 billion in Ethereum — the largest single crypto theft in history. This incident was followed by a string of similar attacks attributed to North Korea, including the recent $37 million hack of South Korean exchange Upbit.Pyongyang's state-led cyberattacks continue to escalate despite mounting international sanctions targeting the country, as well as individuals and entities involved in the acts."North Korea will always seek new vectors to steal funds on behalf of the regime, whether through fiat or crypto," Andrew Fierman, head of national security intelligence at Chainalysis, told The Block. "Therefore, their mechanisms are forever evolving, and are highly sophisticated, diversified, and deeply embedded across jurisdictions."Fierman said sanctions alone are far from sufficient, and noted that disrupting North Korea's rapidly evolving hacking and laundering ecosystem requires coordinated action across the entire industry — including exchanges, blockchain analytics firms and law enforcement. He added that the regime is expected to continue relying on crypto hacks as a core revenue stream.Evolving tacticsChainalysis said hacker groups linked to the DPRK adopted new and aggressive techniques this year, including coordinated supply-chain attacks targeting third-party service providers and fund custodians.Their IT firm infiltration operations remain strong, seeping into AI, blockchain and defense sectors under false identities to gain access to company infrastructure or crypto reserves.The DPRK's crypto laundering route has also evolved in complexity, Chainalysis noted."Stolen funds follow diverse laundering paths, including mixing services, OTC brokers, chain-hopping, token swaps, decentralised exchanges, and bridge protocols to obscure flows," Fierman said.Fierman added that the hallmark of DPRK-linked crypto hacking operations is now the simultaneous use of multiple large-scale laundering channels, executed at speed to obscure the flow of stolen funds.The blockchain security expert said evolving AI technologies could further fortify North Korean tactics. AI could assist DPRK hackers by crafting more convincing personas for identity-based infiltration and by automating the laundering process to make it both more complex and rapid.Preventive measuresFierman said one preventive approach that could actually work against the DPRK cyber actors is enhanced due diligence by companies. Mandatory video interviews, stricter identity-verification checks, IP and geolocation monitoring, and limits on opaque payment methods such as crypto can help platforms detect and block potential North Korean IT workers before they gain access, he said.This due diligence can help identify inconsistencies, financial flows and access patterns of fraudulent IT workers from North Korea, according to the security expert."Ultimately, however, we should be realistic. As long as there is crime, illicit financial activity such as hacks will continue to occur," Fierman said. "This is why close collaboration between platforms, private-sector, and law enforcement is critical. When intelligence is shared quickly, and response pathways are clear, illicit actors will have far fewer opportunities to deploy their tactics — acting as more of a deterrent for future activities."Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.