North Korean hackers stole a record USD$2 billion worth of cryptocurrency in 2025, marking a sharp increase from the previous year, according to new research from blockchain analytics firm Chainalysis Inc.
Released on Thursday, the report said the surge was driven largely by the biggest crypto theft ever recorded. In February, hackers linked to Pyongyang stole roughly USD$1.5 billion from the Bybit digital asset exchange, the report said.
Additionally, the theft pushed North Korea’s estimated lifetime crypto haul to at least USD$6.75 billion since tracking began. That figure continues to climb as tactics grow more advanced.
Chainalysis described North Korea as the most dangerous nation-state actor targeting cryptocurrency platforms. Its 2025 haul rose more than 50 per cent from 2024 levels.
Meanwhile, North Korean linked thefts accounted for most of the estimated US$3.4 billion stolen across the crypto industry between January and early December.
However, the number of known attacks declined compared with last year. Researchers said fewer operations produced far larger payouts.
In addition, North Korean operatives increasingly infiltrated crypto companies by posing as IT workers. This approach allowed them to gain privileged system access.
Consequently, attackers executed fewer but far more damaging breaches. Analysts said this method reduced risk while maximizing rewards.
Further, Chainalysis researchers said stolen crypto has become a key funding source for the North Korean regime. The proceeds support state priorities, including weapons development.
Subsequently, the influx of stolen funds in early 2025 allowed analysts to closely track laundering behavior. Hackers broke large sums into smaller on-chain transactions to avoid detection.
Read more: Hut 8 bets on AI infrastructure with 245-megawatt Louisiana data centre deal
Read more: Onslaught of junk AI content prompts Merriam-Webster to select ‘slop’ as its word of the year
The Lazarus Group may have carried out the attack
Additionally, those funds moved rapidly across wallets and blockchains. This fragmentation made suspicious activity harder to flag automatically.
Last month, South Korea’s largest crypto exchange, Upbit, disclosed a USD$30 million digital asset theft. The breach occurred one day after the platform announced a takeover by Naver Corp. Meanwhile, South Korean media reported that authorities suspect Lazarus Group, a hacking unit tied to North Korea, carried out the attack.
Further, researchers said similar laundering patterns appeared across multiple incidents, suggesting centralized coordination rather than isolated criminal acts.
However, investigators continue to trace stolen funds as exchanges tighten monitoring and governments increase cross-border cooperation.
The Lazarus Group carried out several other notable attacks in 2025 beyond the Bybit breach.
In mid-June, analysts linked the group to a roughly USD$11.5 million theft from Taiwanese crypto exchange BitoPro, using social engineering to bypass security controls and drain funds.
Additionally, investigators suspect Lazarus operatives were behind the US$30 million theft from South Korea’s largest crypto platform Upbit, employing tactics similar to past intrusions and quickly moving stolen assets through complex laundering channels.
Throughout the year, threat researchers observed Lazarus-aligned actors combining phishing, supply chain compromises and cloud-account exploitation to target cryptocurrency organisations and individual wallets.
These repeated actions demonstrate the group’s broadening operational scope and persistence in using financial crime to funnel digital assets to Pyongyang.
