North Korean hackers have once again smashed annual records for stolen crypto and are in stat-padding time at this point, having already racked up $2 billion for 2025 (according to a study by Elliptic).
North Korea has made stolen crypto a major source of funding for its nuclear and weapons programs for years, and North Korean hackers have now plundered a total of $6 billion. The state-sponsored hacking teams have demonstrated creative means of penetrating crypto platforms, such as inviting their admins to fake job interviews complete with video conferencing. The hackers have been responsible for at least 30 incidents in 2025, including a $1.46 billion theft from Bybit.
Record year for North Korean hackers fueled by improvements in social engineering and laundering methods
Elliptic actually believes that the tally of stolen crypto is a conservative estimate, and that the figure may well be higher; there are a number of other attacks that show signs of being perpetrated by the North Korean hackers but cannot yet be confidently attributed, and there are quite possibly other attacks that are unknown because the victims have not reported them.
The signature theft for the North Koreans hackers this year, at least thus far, is the breach of Dubai-based crypto exchange Bybit. That one set an all-time record with its $1.46 billion tally, breaking North Korea’s own record from the breach of the Ronin bridge in 2022 (and more than doubling it). This break-in is thought to have been caused by malware and was a demonstration of how sophisticated the North Korean money laundering system has become: first converting all stolen funds to Bitcoin or Ether via decentralized exchanges (to avoid the possibility of wallet freezing), then carefully “layering” the stolen crypto through a complex network of wallets, cross-change exchanges and mixers. Stolen funds are generally beyond reach within several hours and then carefully emptied from their eventual destination wallets over a period of several days to weeks.
Elliptic notes that, as in the past, the North Korean hackers tend to target crypto exchanges. However, they have also shown increasing interest in individuals sitting on large amounts of crypto or those that have access to organizations known to be holding troves. When targeting individuals, the hackers tend to deploy sophisticated social engineering approaches. While they have used social engineering to breach exchanges before, those attacks tend to focus more on structural weaknesses and technical oversights making a more direct form of hacking possible.
Stolen crypto now thought to make up 13% of North Korea’s GDP
North Korea does not disclose its GDP to the world, but the United Nations estimates it at about $15 billion per year. That puts its annual hacking activity at somewhere north of 10% of its income. While the North Korean hackers have heavily focused on finding weaknesses in decentralized exchanges to date, the Elliptic researchers note that high-wealth individuals and smaller organizations with substantial crypto stashes will now have to consider that advanced hackers such as the “Lazarus Group” will be after them as the larger targets shore up their defenses.
This is not to say that the North Korean hackers are not still finding weaknesses in the crypto exchange world. The Bybit breach, which took place in February of this year, involved a weakness in the user interface of the exchange’s SafeWallet platform that allowed for a Javascript injection to manipulate transaction approvals. The hackers have also recently had substantial breaches in the millions of dollars of stolen crypto from platforms such as LND.fi, Seedify and WOO X that involved contract vulnerabilities, stolen developer keys and good old-fashioned phishing.
And while individuals should be on guard against social engineering, reports that began emerging in early July indicate that the North Korean hackers are targeting them with malware as well. Their hacking teams have been spotted deploying a new form of Mac malware called “NimDoor” that can bypass Apple’s built-in protections and allow them to impersonate legitimate contacts on messaging apps. This can then be leveraged to send fake Zoom files that contain the malware, which hides in the background and steals crypto wallet credentials, Telegram history and stored browser passwords. The malware derives its name from the Nim programming language, a more obscure language that automated defenses presently have trouble detecting due to its relatively rare use. It is also a multi-platform language, making it possible that the hackers will target other operating systems with this approach.
Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ, notes that the North Korean hackers are now an entrenched reality that organizations will have to keep up with in order to avoid waking up to stolen crypto one day: “The North Korean government is said to be tied to prominent North Korean hacking groups like Lazarus, though Kim Jong Un repeatedly denies any affiliation. Regardless, organizations must interpret these massive figures as a warning and a signal to beef up their cybersecurity defenses, especially those with access to large cryptocurrency reservoirs. By testing their security defenses against common attack tactics utilized by Lazarus and other common North Korean hacking groups, security teams can identify where weaknesses lie in their defenses and reinforce them. Additionally, educating employees on social engineering tactics and strategies is a responsibility that organizations must take upon themselves. Regular training which highlights common scams, including fake investment opportunities or fraudulent wallet updates, can help employees recognize suspicious activity and report it before it results in a breach.”
