TL;DR
- North Korea’s regime has stolen more than $2 billion in cryptocurrencies in 2025—almost triple last year’s total, according to Elliptic.
- The $1.46 billion Bybit hack represents the year’s largest single loss.
- Hackers are now targeting individuals and corporate funds through social engineering and complex money-laundering schemes.
North Korea has stolen over $2 billion in cryptocurrencies so far in 2025, according to a report from Elliptic, which attributes the attacks to groups linked to the regime, including Lazarus.
This new figure is nearly triple that of 2024 and sets a new annual record, with three months left in the year. Since the regime began its cyber-crime operations in the crypto industry in 2017, the cumulative total has surpassed $6 billion.
The Bybit hack, which took place in February and is estimated at $1.46 billion, accounts for most of this year’s losses and ranks among the largest incidents in the sector’s history. Elliptic also attributes to North Korea the attacks on LND.fi, WOO X, and Seedify, along with more than thirty smaller breaches affecting exchanges and DeFi platforms. The firm’s report aligns with analyses from the United Nations and intelligence agencies, which state that the stolen funds finance Pyongyang’s nuclear and missile programs.
The study shows a clear shift in the regime’s tactics. While centralized platforms remain a primary target, hackers are increasingly focusing on wealthy individuals and corporate funds.
Elliptic: The Weak Point in Security Is Human
This year’s market rebound has made these targets more attractive, as they often lack the institutional security infrastructure that protects major platforms. The attacks now rely primarily on social-engineering techniques—deception, fake job offers, and impersonation on social networks—to obtain keys and wallet access. Elliptic maintains that the weak point in crypto security is no longer technological but human.
As fund-tracking capabilities improve, North Korea’s laundering networks are becoming increasingly sophisticated. Following the Bybit attack, the stolen funds went through multiple rounds of swaps between Bitcoin, Ethereum, BTTC, and Tron, using obscure protocols and tokens issued by the hackers themselves.
New laundering methods now include successive mixing rounds, cross-chain transactions, and the creation of tokens designed to conceal the origin of stolen assets
