How North Korean Hackers Stole $2 Billion in Crypto in 2025

In 2025, North Korean hacker groups, primarily the Lazarus Group, stole approximately $2 billion worth of cryptocurrency, marking a record annual high. These thefts predominantly targeted centralized cryptocurrency platforms, exposing significant security vulnerabilities and prompting calls for stricter regulatory oversight worldwide.

What happened

Throughout 2025, North Korean state-sponsored hackers executed a series of cyber thefts that cumulatively amounted to nearly $2 billion in stolen cryptocurrency, according to a Chainalysis report. The Lazarus Group was identified as the primary actor behind these operations, a finding corroborated by the United States Cybersecurity and Infrastructure Security Agency (CISA) in a November 2025 alert. The attacks focused mainly on centralized cryptocurrency platforms, including both exchanges and centralized finance (CeFi) services.

The methods employed by these hackers combined traditional cyberattack techniques with blockchain-specific strategies. Attack vectors included exploiting security vulnerabilities within centralized platforms’ hot wallets and internal systems, social engineering tactics, and deploying advanced malware. Once the funds were stolen, they were laundered through intricate chains of decentralized finance (DeFi) protocols and cryptocurrency mixers, designed to obscure the origin of the assets.

Industry observers and cybersecurity analysts interpret this pattern of attacks as indicative of persistent weaknesses in the security architecture and operational controls of centralized crypto platforms. In particular, hot wallets—cryptocurrency wallets connected to the internet and used for facilitating transactions—and internal access management systems were repeatedly targeted. The Lazarus Group’s evolving tactics demonstrate a sophisticated understanding of both conventional cyber intrusion methods and the nuances of blockchain laundering techniques.

The scale and sophistication of these attacks have triggered responses from regulatory bodies globally. The Financial Stability Board (FSB) issued a statement in December 2025 emphasizing the systemic risks posed by such cyber thefts to global financial stability and called for harmonized international regulatory frameworks focused on centralized cryptocurrency platforms.

Why this matters

The 2025 wave of North Korean crypto thefts underscores fundamental vulnerabilities in the security infrastructure of centralized cryptocurrency platforms. These platforms, which serve as key liquidity hubs in the digital asset ecosystem, have become attractive targets due to their role as single points of failure. The repeated exploitation of hot wallets and internal systems reveals gaps in operational controls and risk management that have not been fully addressed despite prior incidents.

This situation has broader implications beyond individual platform losses. Regulators, including the FSB, view these incidents as a systemic threat to global financial stability. The blending of traditional cyberattack methods with advanced blockchain laundering techniques complicates detection and enforcement efforts, increasing the challenge of protecting the integrity of crypto markets.

Furthermore, the laundering of stolen funds through DeFi protocols highlights the difficulties regulators face in tracing illicit activity within decentralized systems that operate across jurisdictions. This dynamic complicates efforts to enforce sanctions and combat financial crime, particularly when nation-state actors are involved.

The heightened regulatory focus on centralized platforms following these attacks could reshape compliance requirements and operational standards. However, the effectiveness of such regulatory responses depends on international cooperation and the ability of platforms to implement robust security measures that can withstand increasingly sophisticated threats.

What remains unclear

Despite the detailed reporting on the scale and actors involved in these thefts, several critical questions remain unanswered. The exact technical vulnerabilities exploited during each major hack have not been publicly disclosed, limiting a comprehensive understanding of the security gaps within targeted platforms.

It is also unclear how much of the $2 billion in stolen cryptocurrency has been recovered or neutralized by law enforcement and blockchain tracing efforts. The degree to which insider threats versus external breaches contributed to these incidents has not been specified, leaving open questions about internal governance and employee risk factors.

Additionally, there is limited information on how centralized platforms have responded operationally to these attacks—whether they have patched vulnerabilities effectively or altered their security architectures. The status and impact of new regulatory measures proposed or implemented following the thefts remain unspecified, making it difficult to assess the trajectory of regulatory enforcement and platform resilience.

Finally, the attribution of these attacks to North Korea, while supported by intelligence assessments and blockchain analytics, cannot be independently verified in full detail, reflecting broader challenges in cyber attribution within the cryptocurrency domain.

What to watch next

• The development and implementation of harmonized international regulatory frameworks targeting centralized cryptocurrency platforms, as urged by the Financial Stability Board and other authorities.
• Further disclosures or forensic reports from affected centralized platforms detailing the nature of exploited vulnerabilities and their remediation efforts.
• Law enforcement and blockchain analytics updates on the recovery or neutralization of stolen funds and the effectiveness of laundering detection within DeFi protocols.
• Ongoing intelligence and cybersecurity agency assessments regarding North Korean cyber tactics and potential shifts in their targeting strategies.
• Industry adoption of enhanced security standards, particularly around hot wallet management and internal access controls, to mitigate future risks.

The record-high crypto thefts attributed to North Korean hackers in 2025 highlight enduring weaknesses in centralized crypto platform security and the evolving sophistication of cybercriminal tactics. While the scale of the attacks has prompted regulatory concern and calls for stronger oversight, significant gaps remain in public understanding of technical vulnerabilities, recovery outcomes, and the efficacy of ensuing policy responses. Addressing these challenges will be critical to safeguarding the integrity and stability of the global cryptocurrency ecosystem.

Source: https://www.coindesk.com/business/2025/12/18/north-korean-hackers-stole-a-record-usd2b-of-crypto-in-2025-chainalysis-says. This article is based on verified research material available at the time of writing. Where information is limited or unavailable, this is stated explicitly.