North Korean hackers steal over $2 billion in cryptoassets in 2025

North Korea-linked hackers have stolen more than $2 billion worth of cryptoassets so far in 2025 — the largest annual total on record — according to new analysis by blockchain analytics firm Elliptic.

With nearly three months left in the year, the figure already dwarfs previous records and brings the cumulative total of cryptoassets stolen by the regime to more than $6 billion. The United Nations and several governments believe these funds play a key role in financing Pyongyang’s nuclear weapons and missile programmes.

Record-breaking cyber theft

The unprecedented scale of losses this year is driven largely by February’s $1.46 billion hack of cryptocurrency exchange Bybit, Elliptic said. Other major thefts attributed to North Korea in 2025 include attacks on LND.fi, WOO X, and Seedify, along with more than 30 additional hacks identified by the firm.

By comparison, the previous record was set in 2022, when North Korean cyber groups stole around $1.35 billion from platforms such as Ronin Network and Harmony Bridge. This year’s total is nearly triple the 2024 tally, underscoring what Elliptic describes as Pyongyang’s growing reliance on “cyber-enabled theft to fund its regime.”

Shift in tactics: From code to people

Elliptic’s analysis also reveals a significant change in how these attacks are carried out. Whereas earlier hacks exploited technical vulnerabilities in blockchain infrastructure, 2025 has seen a surge in social engineering attacks — manipulative schemes that trick individuals into handing over access credentials or approving malicious transactions.

“Humans have become the weakest link in crypto security,” Elliptic warned. The firm noted that an increasing number of victims are high-net-worth individuals, who often lack the sophisticated defences used by major exchanges. Some are specifically targeted due to their association with firms managing large crypto holdings.

The crypto-laundering “arms race”

As blockchain forensics improve, North Korean hackers have been forced to develop more complex laundering techniques to conceal stolen funds. Elliptic’s investigation into the aftermath of the Bybit hack uncovered strategies such as:

• multiple rounds of mixing and cross-chain transactions;

• use of obscure blockchains with limited analytics coverage;

• manipulation of refund addresses to redirect funds;

• and even creating and trading tokens issued by laundering networks themselves.

These tactics illustrate what Elliptic calls an “ongoing cat-and-mouse dynamic” between blockchain investigators and increasingly sophisticated cybercriminals.

Transparency as a double-edged sword

Despite these efforts, blockchain’s transparency continues to offer law enforcement unique advantages. Every digital transaction leaves a trace, allowing analysts to track and link illicit flows across the crypto ecosystem.

Elliptic said its systems enable financial institutions to identify and block deposits linked to known hacks, reducing opportunities for North Korean actors to convert stolen crypto into usable funds.

A growing threat, but also a chance for defence

The record-breaking $2 billion haul highlights both the magnitude of the threat and the importance of robust analytics and security cooperation across the crypto industry.

“North Korea may be evolving its tactics, but the transparency of blockchains and advances in forensic tools mean its activities can still be uncovered and disrupted,” Elliptic said.

As global regulators and exchanges tighten scrutiny, experts say the challenge now lies in ensuring individuals — not just institutions — adopt stronger security practices to prevent North Korean hackers from exploiting the human element of digital finance.

By Aghakazim Guliyev