How cryptocurrency-in-2025">North Korea Stole $2 Billion in Crypto in 2025 Despite Fewer Hacks
In 2025, North Korea reportedly stole a record $2 billion in cryptocurrency, even as the total number of crypto-related hacks worldwide declined. This development highlights a shift in cybercrime tactics toward more sophisticated, high-value attacks targeting emerging vulnerabilities in decentralized finance (DeFi) and cross-chain protocols.
What happened
According to multiple sources, including Ambcrypto and the Chainalysis 2025 Crypto Crime Report, North Korean hacking groups—most notably the Lazarus Group—managed to increase the volume of stolen cryptocurrency to $2 billion in 2025. This occurred despite an overall global decline in the number of cryptocurrency hacks compared to previous years.
The shift in North Korea’s cyber operations appears marked by a strategic focus on exploiting weaknesses in DeFi protocols and cross-chain bridges, which are newer and less mature components of the crypto ecosystem. Chainalysis reports that these areas have weaker security controls relative to traditional centralized exchanges, making them attractive targets for sophisticated attackers.
Further intelligence from Recorded Future’s 2025 Cyber Threat Intelligence Report indicates that North Korean actors have evolved their tactics from broad hacking campaigns to more precise and technically advanced methods. These include social engineering, phishing, and the exploitation of zero-day vulnerabilities within blockchain infrastructure. Such techniques enable targeted breaches that yield larger financial returns per attack.
Once cryptocurrency is stolen, North Korean groups employ complex laundering strategies involving mixers, decentralized exchanges, and cross-border transfers. This layering process is intended to obscure the origin of the funds, complicating efforts by regulators and law enforcement to trace or recover the assets, as detailed in the Chainalysis report.
Interpretations by Ambcrypto and Chainalysis suggest this increase in theft despite fewer overall hacks reflects a deliberate shift toward fewer but higher-impact operations. Recorded Future further interprets this pattern as representative of a broader trend in cybercrime, where state-sponsored actors leverage advanced technical capabilities to exploit systemic vulnerabilities in global financial infrastructures.
Why this matters
The escalation of North Korea’s cryptocurrency theft amid declining global hack numbers underscores a significant evolution in cybercrime strategy, with implications for the security and stability of the crypto ecosystem. By focusing on emerging, less regulated sectors such as DeFi and cross-chain bridges, North Korean actors are capitalizing on systemic weaknesses that traditional security frameworks have yet to fully address.
This trend also reflects the adaptability of state-sponsored cybercriminals to changing enforcement landscapes. As regulatory scrutiny tightens around centralized exchanges and conventional money laundering channels, North Korea’s use of decentralized platforms for laundering stolen funds indicates a strategic pivot designed to evade detection.
From a market perspective, these developments increase the risk profile of DeFi and cross-chain technologies, which are central to many emerging financial products and services. The exploitation of these vulnerabilities may undermine investor confidence and complicate regulatory efforts to safeguard digital asset markets.
More broadly, the effective targeting of blockchain infrastructure by a state actor signals growing challenges for global financial security. It highlights the need for enhanced international cooperation, improved cybersecurity standards, and more transparent incident reporting to mitigate the risks posed by sophisticated cyber threats.
What remains unclear
Despite the detailed reporting on the scale and nature of North Korea’s crypto thefts, several critical questions remain unanswered. The precise technical methods and specific zero-day vulnerabilities exploited in these 2025 attacks have not been publicly disclosed. This limits the ability of the industry to fully understand or defend against similar threats.
The operational infrastructure enabling North Korea to conduct such large-scale thefts without apparent interdiction by international law enforcement or intelligence agencies is also not explained. This gap raises questions about the effectiveness of current detection and response mechanisms.
Additionally, there is no available information regarding the involvement of insider threats or compromised personnel within victim organizations, which could facilitate these breaches. Nor is there clarity on how international regulatory and law enforcement frameworks have adapted to these evolving tactics.
Finally, attribution to North Korea relies primarily on cybersecurity firm analyses and intelligence assessments. While these sources are credible, the absence of independent verification or official disclosures from affected entities limits full confirmation of these findings. The geographic distribution and timeline of the thefts also remain unspecified, as does the impact on the broader cryptocurrency market or on the operations of victim entities.
What to watch next
- Disclosures or security incident reports from DeFi protocols and cross-chain bridge operators regarding breaches attributed to North Korean actors.
- Updates from international regulatory bodies on new frameworks or enforcement actions targeting laundering of stolen cryptocurrencies through decentralized platforms.
- Further cybersecurity intelligence releases detailing technical analyses of exploited vulnerabilities and attack methodologies used in 2025.
- Signals of enhanced international cooperation or law enforcement initiatives aimed at disrupting state-sponsored cyber theft operations.
- Market responses or shifts in security practices within the DeFi and cross-chain sectors as a result of these high-profile thefts.
The record $2 billion in cryptocurrency stolen by North Korea in 2025, despite fewer global hacks, reveals a clear strategic and technical evolution in state-sponsored cybercrime. While the details of attack mechanisms and operational infrastructure remain opaque, the shift toward targeting emerging crypto sectors and sophisticated laundering tactics presents significant challenges for regulators, market participants, and cybersecurity professionals. Addressing these challenges will require greater transparency, collaboration, and innovation in defensive measures.
Source: https://ambcrypto.com/north-korea-stole-a-record-2-billion-in-crypto-in-2025-even-as-hacks-declined/. This article is based on verified research material available at the time of writing. Where information is limited or unavailable, this is stated explicitly.