North Korean–linked hackers have already stolen more than $2 billion in cryptocurrency in 2025 alone, setting a new annual record for the regime, according to blockchain analytics firm Elliptic. Their total known crypto heists since 2017 now exceed $6 billion, though analysts caution the real figure may be significantly higher. The most dramatic capstone this year was a roughly $1.46 billion breach of the crypto exchange Bybit, which U.S. law enforcement and blockchain monitors have attributed to North Korea. These hacks are increasingly exploiting social engineering and targeting wealthy individuals instead of only crypto infrastructure, signaling an evolution in tactics. Meanwhile, the United Nations has been investigating dozens of past North Korean cyberattacks—valued in aggregate at around $3 billion between 2017 and 2023—and links the gains to funding Kim Jong Un’s nuclear and missile programs.
Key Takeaways
– North Korea’s crypto thefts in 2025 alone have already shattered previous annual records, driven largely by a massive Bybit exchange hack.
– The regime is shifting tactics: increasingly using social engineering and targeting individual crypto holders, rather than purely technical exploits of infrastructure.
– International bodies such as the U.N. view these illicit proceeds as financing North Korea’s nuclear and missile programs, complicating enforcement under sanctions.
In-Depth
North Korea’s cyber operations have long lurked in the shadows of global security debates, but 2025 appears to mark a new apex in their audacity and effectiveness. The revelation that hackers linked to Pyongyang have already stolen over $2 billion in crypto this year represents more than just a headline number—it signals a deepening integration of cybercrime into the core of the regime’s fiscal strategy.
According to Elliptic’s analysis, the total known crypto assets stolen by North Korea since 2017 now top $6 billion. But that’s almost certainly a floor, rather than a ceiling: attribution in the crypto space is notoriously tricky. Elliptic itself warns that hacks “sharing hallmarks” of North Korea’s operations may remain unconfirmed or undiscovered. What we do know with confidence is that the Bybit heist of early 2025 was a monumental step: about $1.46 billion vanished in that attack, representing one of the biggest single crypto thefts ever attributed to the regime. U.S. authorities, including the FBI, have publicly tied that heist to North Korea under the name “TraderTraitor.”
What makes the current wave of attacks more dangerous is the shift in tactics. Where earlier breaches often exploited vulnerabilities in blockchain bridges, exchanges, or infrastructure bugs, 2025’s assortment of hacks shows a heavier dependence on social engineering—phishing, deception, impersonation—aimed at high-net-worth crypto holders. The idea is simple: individuals typically lack the robust defenses and monitoring that institutional exchanges maintain, making them softer targets. Once access is gained, funds are laundered through complex networks of swaps, mixers, and shell wallets to obscure the trail.
The geopolitical implications are profound. The United Nations, through its Panel of Experts on North Korea, has long documented how these cyber-enabled revenues feed into Pyongyang’s weapons programs. Between 2017 and 2023, the U.N. has probed at least 58 suspected North Korean cyberattacks, placing the total estimated theft around $3 billion. The implication is that a sizable fraction of North Korea’s foreign-currency income is now derived from digital crime, undermining sanctions and enabling its nuclear and ballistic ambitions.
This evolving threat challenges conventional enforcement. Traditional sanctions and diplomatic pressure have struggled to keep pace with financial activity that happens in code and in the ether. Blockchain analytics firms like Elliptic play a critical role in detection and traceability, but legal and geopolitical levers often lag behind the technology. As Pyongyang refines its cyber-revenue model—pivoting toward social engineering and targeting individuals—the urgency for multilateral cooperation, stronger crypto regulation, and coordinated deterrence is growing.