North Korea-Linked Hackers Steal $2.02 Billion in 2025, Leading Global Crypto Theft

Threat actors linked to the Democratic People's Republic of Korea (DPRK or North Korea) have played a big role in the rise in global cryptocurrency theft in 2025. They stole at least $2.02 billion out of more than $3.4 billion stolen from January to early December.

The number is up 51% from last year and $681 million more than in 2024, when the criminals stole $1.3 billion, according to Chainalysis' Crypto Crime Report, which was shared with The Hacker News.

"This is the worst year on record for DPRK crypto theft in terms of value stolen, and DPRK attacks also made up a record 76% of all service compromises," the blockchain intelligence company said. "Overall, the numbers for 2025 bring the DPRK's lowest cumulative estimate for stolen cryptocurrency funds to $6.75 billion."

The cryptocurrency exchange Bybit's compromise in February is to blame for $1.5 billion of the $2.02 billion that North Korea stole. TraderTraitor, also known as Jade Sleet and Slow Pisces, was blamed for the attack. Hudson Rock published a report earlier this month that connected a computer infected with Lumma Stealer to the Bybit hack because it had the email address "trevorgreer9312@gmail[.]com."

The Lazarus Group, a hacking group backed by North Korea, has been behind a number of attacks over the past ten years, including the theft of cryptocurrencies. Last month, the enemy is also thought to have stolen $36 million worth of cryptocurrency from Upbit, South Korea's largest cryptocurrency exchange.

The Reconnaissance General Bureau (RGB) in Pyongyang is connected to the Lazarus Group. It is thought to have stolen at least $200 million from more than 25 cryptocurrency heists between 2020 and 2023.

The nation-state adversary is one of the most active hacking groups. They have also run a long-running campaign called Operation Dream Job, in which they use LinkedIn or WhatsApp to offer people in the defense, manufacturing, chemical, aerospace, and technology industries high-paying jobs to trick them into downloading and running malware like BURNBOOK, MISTPEN, and BADCALL. BADCALL also has a Linux version.

The main goals of these actions are twofold: to gather private information and make money for the government that is against international sanctions on the country.

Another way that North Korean hackers work is by hiring IT workers from around the world and pretending to be them. They do this either as individuals or through front companies like DredSoftLabs and Metamint Studio that are set up for this purpose. This also includes getting special access to crypto services and making big compromises possible. People have called the fake business Wagemole.

"Part of this record year is probably due to an increased reliance on IT worker infiltration at exchanges, custodians, and Web3 firms, which can speed up initial access and lateral movement before large-scale theft," Chainalysis said.

No matter how the money is stolen, it is sent through Chinese-language money movement and guarantee services, cross-chain bridges, mixers, and specialized marketplaces like Huione to wash the money. The stolen assets also go through a planned, multi-wave laundering process that takes about 45 days to complete after the hacks.

• Wave 1: Immediate Layering (Days 0–5), which means using DeFi protocols and mixing services to quickly move money away from the source of the theft
• Wave 2: Initial Integration (Days 6–10), which means moving the money to cryptocurrency exchanges, second-tier mixing services, and cross-chain bridges like XMRt
• Wave 3: Final Integration (Days 20–45) is when you use services that make it easy to turn your assets into cash or other things

"Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests that DPRK threat actors are tightly integrated with illicit actors across the Asia-Pacific region, and is consistent with Pyongyang's historical use of China-based networks to gain access to the international financial system," the company said.

The news comes at the same time that the U.S. Department of Justice (DoJ) says that Minh Phuong Ngoc Vong, a 40-year-old man from Maryland, has been sentenced to 15 months in prison for his part in the IT worker scheme. He let North Korean nationals living in Shenyang, China, use his identity to get jobs at several U.S. government agencies.

Vong got jobs with at least 13 different U.S. companies between 2021 and 2024 by lying about his qualifications. One of these companies was the Federal Aviation Administration (FAA). Vong got paid more than $970,000 in salary for software development work that was done by people in other countries who were part of the conspiracy.

The Department of Justice said, "Vong worked with others, including John Doe, also known as William James, a foreign national living in Shenyang, China, to trick U.S. companies into hiring Vong as a remote software developer." "Vong got these jobs by making false statements about his education, training, and experience. He then let Doe and others use his computer access credentials to do the remote software development work and get paid for it."

It looks like the IT worker scheme is changing its strategy. More and more people linked to the DPRK are acting as recruiters on sites like Upwork and Freelancer to find people to work with them and grow the business.

"These recruiters use a script to approach targets and ask them to be "collaborators" who will help bid on and deliver projects. Security Alliance said in a report last month that they give clear instructions on how to register an account, verify your identity, and share your credentials.

"Victims often give up full access to their freelance accounts or install remote-access tools like AnyDesk or Chrome Remote Desktop." This lets the threat actor use the victim's real identity and IP address, which lets them get around platform verification controls and do illegal things without being caught.