With 2024 having officially drawn to a close, all sorts of annual metrics are beginning to roll in. One that is probably not at all surprising is that North Korean hackers had another banner year in terms of stolen crypto, breaking their previous annual records for the total taken and representing well over half of all such digital thefts.
The end-of-year report from Chainalysis finds that stolen crypto totals are down from the peaks of 2021 and 2022, by almost half the record-setting $3.7 billion that was taken two years ago. Theft patterns are also a little different for 2024, with the first half of the year looking like a new record was going to be set but the second half of the year seeing activity taper off to end the year relatively flat.
North Korean hackers continue to find great success with crypto, even as others falter
North Korea’s new personal record for stolen crypto, $1.34 billion, represents 61% of the total of about $2.2. billion stolen in 2024. While activity in this area of crime seems to be returning to the much lower pre-pandemic levels for most other threat actors, the skilled state-backed North Korean hackers are almost single-handedly keeping numbers above the $1 billion level globally.
Stolen crypto was barely even an issue until the mid-2010s, and unsurprisingly has largely tracked along with Bitcoin’s bull runs. Aside from one spike to $1.5 billion in 2018, it had generally stayed at no more than about half a billion dollars globally until the massive spike to $3.3 billion in 2021 (followed by the current record of $3.7 billion the following year). Much of the activity in this area of theft is driven by North Korean hackers, who are operating on behalf of the state to fund the national government. These attackers are thus much more well-resourced than standard cyber criminals and can pull off complex social engineering schemes and even fraud their way into remote work positions that are then abused.
Though down as compared to the 2021 and 2022 peak years, stolen crypto did increase by 21.07% from 2023 and the overall number of theft incidents continues to trend upward after dipping in 2022 (when the North Korean hackers drove most of the action with several very large thefts). 2024 was the first year that the total number of hacks topped 300, up from 282 in 2023.
The North Korean hackers put up their eye-popping numbers in prior years primarily by raiding decentralized finance (DeFi) platforms still in their young stages and with substantial security vulnerabilities. The industry seems to be learning that headlines involving stolen crypto could eventually be the death of it and stepping up security, and there has been a recent shift in preference to targeting centralized services. These were also some of the largest individual breaches for 2024, such as the May theft of $305 million from DMM Bitcoin and about $235 million from WazirX in July.
Securing private keys critical to stopping stolen crypto
The change in preference to centralized services also tracks with a focus on stealing private keys, which was the cause of 43.8% of 2024’s instances of stolen crypto. The next largest segment of these attacks could not be attributed, making up a little over 25% of incidents. Relatively small quantities of incidents stemmed from security vulnerabilities, code exploits or market integrity exploits.
On average, for the past few years, North Korean hackers can be expected to steal half a billion to a little over a billion dollars worth of crypto annually. That number has wavered up and down, but one thing is consistent: they make more attempts with every new year. 2024 saw them jump to 61% of all stolen crypto incidents from 36% the prior year, a number that has consistently been going up since 2021. The numbers also suggest that the state-backed hackers are becoming more skilled with each year, as their share of attacks that yield at least $50 million continues to increase.
However, the North Korean hackers are also stepping up their share of smaller-scale incidents. The Chainalysis report ties this to an increasing strategy of placing remote workers in legitimate jobs, with the primary intention of having them abuse privileged access to steal internal secrets and hold employers to ransom with them. These incidents most commonly yield only about $10,000 in value, but North Korea has been showing much more interest in them.
The US State Department has offered rewards of up to $5 million for information leading to identification of North Korean hackers participating in state-backed missions that leverage stolen crypto to fund the country’s weapons programs. Indictments were issued in early December for some 14 of these hackers, though it is extremely unlikely anyone will ever lay hands on them so long as they remain in North Korea.