North Korea-linked hackers were responsible for unprecedented cryptocurrency thefts in 2025, with blockchain analysis firms reporting that actors affiliated with the regime stole an estimated more than $2 billion in cryptoassets over the year. These activities marked the largest annual haul attributed to North Korea in the cryptocurrency sector and continued a longer-term pattern of state-linked cyber theft used to generate revenue.
Analysis from multiple blockchain intelligence organisations showed that North Korean cyber actors focused on a mix of large exchange breaches and other high-value compromises. One of the most significant of these events was a major exploit of the cryptocurrency exchange Bybit in February 2025, where attackers gained control of private keys and withdrew vast quantities of digital assets shortly after execution. This single theft, valued at approximately $1.5 billion, was among the largest individual cryptocurrency heists ever recorded and accounted for a large share of the known stolen value for the year.
Researchers also documented that North Korea’s share of global cryptocurrency theft was substantial relative to other threat actors. In 2025, up to 60–76 % of the total value stolen from centralised services was attributed to actors linked to the Democratic People’s Republic of Korea (DPRK), according to estimates from industry reporting. This pattern demonstrated both the strategic targeting of centralised exchanges and the scale at which these operations were carried out compared with other malicious groups.
The broader context of these activities shows a shift in tactics as well as scale. Elliptic, a blockchain intelligence firm, reported that North Korea’s cyber operators conducted more than 30 separate hacks against exchanges and other cryptocurrency services in 2025, bringing their cumulative total of stolen crypto since 2017 to well over $6 billion. These 2025 thefts were said to be driven by a combination of technical compromise of exchange infrastructure and social engineering directed at service administrators and privileged users.
Part of the operational strategy has involved targeting large custodial and trading platforms where a single compromise of privileged access can result in extremely high-value losses. By aiming at centralised services with substantial reserves, attackers were able to maximise the monetary impact of each incident. Analysts noted that this focus on concentrated crypto reserves contributed to the disproportionately large share of 2025 losses linked to North Korea.
Alongside major platform breaches, there were also reports of smaller but notable incidents attributed to DPRK-linked hackers. For example, industry observers and South Korean authorities reported investigations into thefts of tens of millions of dollars in cryptocurrency from services such as Upbit, where private key compromises or abnormal withdrawals emerged in late 2025, with law enforcement citing tactics and infrastructure consistent with North Korea-linked groups.
Industry data suggests that 2025 represented not only a record year for North Korean crypto theft in absolute terms, but also a period in which the methods used became more systematic, reflecting an industrialised approach to generating revenue through a combination of high-value breaches, social engineering, and sophisticated laundering of stolen assets. Blockchain analysts noted that stolen funds often passed through complex mixing and bridging services, followed by on and offline conversion, illustrating how North Korean crypto theft operations have matured both technically and operationally.
The financial implications of these thefts extend beyond the immediate losses themselves. Proceeds from blockchain thefts have been linked to efforts by the North Korean government to evade international sanctions and subsidise state priorities. Independent analyses and monitoring by financial intelligence firms have identified patterns of laundering and cross-chain transfers that align with known DPRK cybercrime revenue streams, underscoring the broader geopolitical consequences of the threat.
Taken together, the 2025 data show that North Korean cyber actors reinforced their position as a dominant force in the landscape of cryptocurrency theft. Their operations contributed a major portion of the roughly $3.4 billion in total crypto assets reported stolen industry-wide, with the DPRK-linked share significantly outweighing that of other state-linked or criminal groups for the year.
The continuing evolution of these operations underscores the challenges facing exchange operators, custodians, and individual holders in safeguarding digital assets. As the technical and economic sophistication of attackers grows, the cybersecurity of cryptocurrency platforms and the protection of private keys and administrative access remain central concerns for the industry.