North Korea-linked hacking groups have stolen more than $2 billion worth of crypto assets so far this year, according to a new analysis from blockchain forensics firm Elliptic, the largest annual total ever recorded, and with three months of 2025 still to go.
The new data underscores Pyongyang’s growing dependence on cyber-enabled theft to fund its weapons programs. According to the United Nations and multiple intelligence agencies, proceeds from these hacks are used to finance North Korea’s nuclear and ballistic missile development.
“The scale of crypto theft attributed to North Korea this year is unprecedented — and a clear indication of how deeply the regime depends on cybercrime,” Elliptic said in its report shared with CoinDesk.
Elliptic’s findings bring the total known crypto theft attributed to North Korea to more than $6 billion since the regime’s hacking operations began targeting the crypto sector around 2017.
Bybit Hack Drives Record Year
The 2025 figure is dominated by February’s $1.46 billion hack of the Bybit exchange, one of the largest crypto thefts on record.
Elliptic has also attributed attacks against LND.fi, WOO X, and Seedify to North Korea this year, along with more than 30 additional incidents involving smaller exchanges and DeFi platforms.
The $2 billion total nearly triples last year’s tally and surpasses the previous record of $1.35 billion set in 2022, when North Korea-linked actors were behind major breaches of Ronin Network and Harmony Bridge.
Shift Towards Social Engineering
While centralized exchanges remain a prime target, Elliptic noted a strategic shift toward attacks on individuals, particularly high-net-worth crypto holders and company executives.
With crypto prices rebounding in 2025, such targets have become increasingly lucrative, often lacking the robust security infrastructure of institutional platforms.
“The weak point in cryptocurrency security is now human, not technological,” Elliptic said.
This shift has seen hackers rely more on deception than code exploits, using tactics like phishing, fake job offers, and compromised social media accounts to gain access to wallets and private keys.
A Crypto-Laundering Arms Race
As blockchain analytics and law enforcement collaboration have improved, North Korea’s laundering operations have become more complex, Elliptic found.
Following the Bybit breach, investigators traced multiple rounds of cross-chain swaps between Bitcoin, Ethereum, BTTC and Tron — often using obscure protocols and self-issued tokens to disguise origins.
New laundering methods include multiple rounds of mixing, using obscure blockchains and creating new tokens issued directly by laundering networks.
