North Korean cybercriminals have reportedly stolen over $2 billion worth of cryptocurrency in the first nine months of 2025, according to blockchain analysis firm Elliptic. This alarming figure marks a record high for the group’s cyber activities and brings the total value of stolen cryptocurrency assets linked to North Korea to more than $6 billion.
Elliptic highlights that establishing a clear link between various attacks and North Korea is complex and often imprecise. The firm leverages blockchain analytics, patterns of money laundering, and intelligence sources to make such attributions. Many incidents go unreported, which suggests the actual figures for stolen amounts may be even greater.
The considerable increase in the amount stolen this year can be attributed significantly to a major heist involving the cryptocurrency exchange Bybit, from which hackers lifted approximately $1.46 billion. In addition to this prominent theft, North Korean actors have been involved in at least 33 other cryptocurrency-related heists so far this year.
The data shows that the total stolen in 2025 is nearly three times higher than the previous year’s total, emphasizing North Korea’s increasing reliance on cybercrime as a means to fund its regime. In December 2023, Recorded Future had reported that North Korean threat actors had accumulated over $3 billion in stolen cryptocurrency following high-profile incidents like the Ronin Network theft, which saw $600 million taken, alongside other significant breaches such as Nomad and Harmony.
Most attacks in 2025 have been characterized by social engineering tactics rather than exploiting vulnerabilities in cryptocurrency infrastructure. Hackers primarily directed their efforts towards cryptocurrency exchanges but also targeted high-net-worth individuals, recognizing them as lucrative victims due to their often inadequate security measures.
As the prices of cryptocurrencies have surged, individuals with substantial holdings have become attractive targets. These hackers frequently choose to go after people connected with businesses that manage large amounts of crypto assets, increasing their chances of success.
To counteract improved blockchain analytics and tracking measures, North Korean cybercriminals have reportedly adopted more sophisticated techniques for laundering their stolen assets. They engage in multiple rounds of mixing and utilize cross-chain transactions to complicate tracking efforts. By employing obscure blockchains, exploiting “refund addresses,” and creating tokens via laundering networks, they aim to obfuscate their actions further.
The unprecedented theft of $2 billion this year highlights both the sophistication of the threat posed by North Korea and the critical importance of advanced blockchain analytics. While North Korean hackers may be refining their tactics, Elliptic underscores that the cryptocurrency industry and law enforcement are well-equipped to detect and respond to these evolving threats.
