Cryptocurrency crime reached a new high in 2025, driven largely by hackers linked to North Korea, according to new industry findings.
Threat actors connected to the Democratic People’s Republic of Korea were responsible for at least $2.02 billion of the more than $3.4 billion stolen globally between January and early December 2025. This marks a 51% year over year rise and an increase of $681 million compared to 2024, when $1.3 billion was stolen, according to data from a blockchain intelligence firm shared with a technology news outlet.
“This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises,” the firm said. “Overall, 2025’s numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion.”
A single breach in February played a major role. The compromise of crypto exchange Bybit accounted for $1.5 billion of the total amount stolen. The attack was linked to a threat cluster known as TraderTraitor, also called Jade Sleet and Slow Pisces. Separate analysis connected a system infected with Lumma Stealer to the incident through infrastructure indicators.
These thefts form part of a wider campaign attributed to the Lazarus Group, a North Korea backed hacking outfit tied to Pyongyang’s Reconnaissance General Bureau. The group is believed to have stolen at least $200 million across more than 25 crypto heists between 2020 and 2023. It was also linked to the theft of $36 million from South Korea’s largest crypto exchange last month.
Lazarus Group is also known for Operation Dream Job, where fake job offers sent through LinkedIn and WhatsApp trick professionals into installing malware. The goal is to steal sensitive data and raise illegal funds in violation of international sanctions.
Another tactic involves placing North Korean IT workers inside global companies using false identities or front firms. This operation, known as Wagemole, has enabled access to crypto platforms and large scale theft. “Part of this record year likely reflects an expanded reliance on IT worker infiltration,” the blockchain firm said.
Stolen funds are laundered through Chinese language services, cross chain bridges, mixers, and marketplaces. The process unfolds over about 45 days, starting with rapid fund obfuscation, followed by exchange transfers, and ending with conversion to fiat or other assets.
The disclosure follows the sentencing of a 40 year old Maryland man to 15 months in prison for helping North Korean nationals secure jobs at U.S. organizations. Between 2021 and 2024, he earned more than $970,000 while overseas actors carried out the work.
“Vong conspired with others,” the U.S. Justice Department said, explaining how access credentials were shared to enable the scheme.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
