North Korean Hackers Escalate Global Crypto Theft to $2.02 Billion in 2025
In 2025, cybercriminals linked to North Korea have significantly intensified their illicit activities, orchestrating cryptocurrency thefts totaling at least $2.02 billion. This staggering amount accounts for approximately 76% of all cryptocurrency stolen globally during the year, marking a 51% increase from the previous year’s $1.3 billion. These figures, reported by blockchain analytics firm Chainalysis, highlight a concerning trend in the realm of cybercrime.
A significant portion of this year’s theft is attributed to the February breach of the cryptocurrency exchange Bybit, resulting in a loss of $1.5 billion. The attack has been linked to a cybercriminal group known as TraderTraitor, also referred to as Jade Sleet and Slow Pisces. Investigations have connected this group to infrastructure associated with the Bybit hack, notably through the email address trevorgreer9312@gmail[.]com.
The Lazarus Group, a notorious North Korean state-sponsored hacking organization, is believed to be behind these operations. Over the past decade, Lazarus has been implicated in numerous cyberattacks, including the recent theft of $36 million from South Korea’s largest cryptocurrency exchange, Upbit. Between 2020 and 2023, the group is estimated to have stolen over $200 million from more than 25 cryptocurrency heists.
One of the group’s notable tactics is the Operation Dream Job campaign. In this scheme, Lazarus operatives pose as recruiters on platforms like LinkedIn and WhatsApp, offering lucrative job opportunities to professionals in sectors such as defense, manufacturing, chemical, aerospace, and technology. Unsuspecting victims are tricked into downloading malware, including variants like BURNBOOK, MISTPEN, and BADCALL, the latter of which also targets Linux systems. This approach serves a dual purpose: gathering sensitive information and generating illicit revenue to circumvent international sanctions imposed on North Korea.
Another strategy employed by North Korean cyber actors involves infiltrating global companies by embedding IT workers under false identities. These individuals, sometimes operating through front companies like DredSoftLabs and Metamint Studio, secure positions within organizations to gain privileged access to cryptocurrency services. This method, referred to as Wagemole, facilitates large-scale thefts by accelerating initial access and lateral movement within targeted networks.
Once the funds are stolen, they are laundered through various channels, including Chinese-language money movement services and cross-chain bridges. These methods are designed to obscure the origin of the funds, complicating efforts by authorities to trace and recover the stolen assets.
The escalation of these activities underscores the growing sophistication and audacity of North Korean cyber operations. The international community faces an urgent challenge in addressing these threats, as the stolen funds are believed to finance North Korea’s weapons programs and other illicit activities.
