TL;DR
- North Korea stole over $2.17B in crypto in H1 2025, exceeding all of 2024.
- The $1.5B heist from Bybit in February was the largest single crypto theft on record.
- Actors use sophisticated laundering via mixers, bridges, and OTC brokers, and infiltrate companies by posing as IT workers.
Chainalysis reports more than $2.17 billion in stolen crypto during the first half of 2025 by actors tied to North Korea. Numbers already exceed all of 2024, pointing to a planned revenue engine rather than chance exploits. Teams linked to Lazarus Group target exchanges, bridges, and infrastructure providers and convert hacks into a steady funding stream for the regime.
The biggest blow arrived in February, when attackers drained nearly $1.5 billion in ETH from Bybit, setting a new record for a single crypto heist. A later exploit at Upbit added more losses and confirmed a sustained offensive. Sanctions tighten traditional channels, so authorities in Pyongyang lean on cyber operations to fill coffers.
From isolated hacks to a criminal value chain
Teams split flows across mixers, DEX venues, cross-chain bridges, OTC brokers, and token swaps in parallel. The approach overloads investigators, shrinks reaction windows, and reduces recovery odds. Funds often scatter across chains and later recombine within hours, erasing clear trails.
Another line of attack targets employers. Operatives pose as remote IT workers, secure contracts, and reach internal wallets and key systems. Infiltration extends to blockchain startups, AI vendors, and defense-adjacent contractors, expanding access to sensitive infrastructure and broadening the pool of exploitable assets.
Why sanctions fall short
Industry specialists, including Andrew Fierman, argue that enforcement lists and black flags help, yet fail to disrupt day-to-day mechanics without tighter coordination. Exchanges, analytics firms, and law enforcement need faster freezes, standard escalations, and cross-border playbooks that match adversary speed. Without synchronized action, laundering networks rebuild pathways and retain liquidity sources.
AI raises the bar for deception. Generative models forge consistent online identities, automate phishing scripts, and refine laundering routes. Fake rƩsumƩs, cloned voices, and staged interviews improve contractor acceptance rates and open doors to admin consoles, seed vaults, and signing devices.
Large-scale theft feeds state finances and hurts legitimate users
Insurance premiums rise, risk buffers at exchanges expand, and operating costs increase across custody and compliance teams. On-chain treasuries tighten access rules, enforce multi-sig with strict quorum, and segment hot, warm, and cold paths to limit breach fallout. Protocols upgrade monitoring, curb deployer permissions, and adopt mandatory role separation for contractors.
Security leads prioritize several areas for early 2026:
ā¢ Exit routes into high-risk OTC hubs and weak-control jurisdictions.
ā¢ Burst patterns of small transfers across many chains and bridges.
ā¢ Bulk hiring of technical freelancers with unverifiable histories.
North Korea runs an industrial cyber program that turns crypto theft into reliable cash flow. Chainalysis counts $2.17B in half a year, with the Bybit raid near $1.5B as headline proof.Ā
