Record-breaking year for state-sponsored crypto theft

North Korea has set a new records when it comes to crypto theft in 2025, stealing a total of billions through increasingly sophisticated cyber operations that underscore how deeply digital asset crime has become embedded in the regime’s state strategy.

Hackers linked to the Democratic People’s Republic of Korea (DPRK) stole more than $2.17 billion in cryptocurrency in the first half of 2025, already surpassing the total amount stolen throughout all of 2024, according to Chainalysis. The figure marks the most severe year on record for state-sponsored crypto theft.

But the nation's biggest heist yet would have to be the Bybit heist, where the country siphoned nearly $1.5 billion worth of Ethereum in what would go down as the largest crypto theft in history. The attack was followed by a series of additional breaches attributed to North Korea-linked groups, including a $37 million hack of South Korea’s Upbit exchange.

Analysts believe the stolen funds were used by North Korea to finance its nuclear weapons and missile programs, particularly as international sanctions continue to restrict the country's access to traditional financial channels.

Chainalysis says North Korea’s hacking operations are no longer opportunistic but strategic, persistent, and state-directed. Andrew Fierman, head of national security intelligence at the firm, said the regime has demonstrated a willingness to exploit any financial system it can access.

“North Korea will always seek new vectors to steal funds on behalf of the regime, whether through fiat or crypto. Their mechanisms are constantly evolving and are now highly sophisticated, diversified, and deeply embedded across jurisdictions.”

Fierman emphasized that sanctions alone are insufficient to curb the activity. Instead, he called for tighter coordination across crypto exchanges, blockchain analytics providers, and global law enforcement agencies to disrupt laundering routes before stolen assets can be fully obscured.

Evolving attack and laundering tactics

According to Chainalysis, DPRK-linked hacker groups significantly expanded their toolkit in 2025. New methods included coordinated supply-chain attacks targeting third-party service providers, fund custodians, and software vendors — often the weakest links in security infrastructure.

In parallel, North Korean IT infiltration campaigns remained highly active. Operatives posing as legitimate developers or contractors gained access to companies across AI, blockchain, and defense sectors, allowing them to quietly penetrate systems or redirect funds from within.

Once funds are stolen, the funds are quickly laundered across multiple channels. Chainalysis observed the use of mixing services, OTC brokers, decentralized exchanges, token swaps, chain-hopping, and cross-chain bridges, often deployed simultaneously to obscure transaction trails.

Fierman also noted that the advent of artificial intelligence also aided North Korea in its heist, for example, enabling North Korean hackers to create fake identities, automate their laundering workflows, and get access to faster executions across their networks.

Defensive measures and the limits of prevention

While no single solution can eliminate the threat, security experts say stronger corporate due diligence could meaningfully reduce infiltration risks. Measures such as mandatory video interviews, stricter identity verification, IP and geolocation monitoring, and tighter controls on crypto-based compensation can help detect fraudulent actors before they gain internal access. Fierman said

“These checks help identify inconsistencies in behavior, access patterns, and financial flows that often signal North Korean IT workers.”

Fierman noted that there could never be a permanent fix to this issue, adding

“As long as there is crime, illicit financial activity will continue. The most effective deterrent is rapid intelligence sharing and coordinated response across the private sector and law enforcement.”

With state-backed cybercrime now central to Pyongyang’s economic survival, analysts expect North Korea’s hacking and laundering campaigns to intensify further in 2026 — with crypto remaining both the primary target and the regime’s most reliable financial weapon.