North Korea-backed threat actors have stolen more than $2bn in cryptocurrency this year to fund the hermit state’s missile and nuclear weapons programs, according to new blockchain analysis.
The figure represents the largest ever annual tally for North Korean hackers, with three months still to go in 2025. It means they have stolen over $6bn in crypto to date to fund the autocratic regime, said London-headquartered blockchain analysis firm Elliptic.
“This year’s losses are driven in large part by February’s $1.46bn theft from cryptocurrency exchange Bybit,” it explained.
“Other thefts publicly attributed to North Korea in 2025 include those suffered by LND.fi, WOO X and Seedify. Elliptic has attributed more than 30 additional hacks to North Korea so far this year.”
The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge.
Read more on North Korean crypto raids: Crypto-Hackers Steal $2.2bn as North Koreans Dominate
While most attacks continue to target crypto-exchanges, high-net worth individuals are also coming under growing scrutiny, the report noted.
“The majority of the hacks in 2025 have been perpetrated through social engineering attacks, where hackers deceive or manipulate individuals in order to gain access to cryptocurrency,” Elliptic said.
“This marks a shift from earlier attacks where in many cases technical flaws in crypto infrastructure were exploited to steal funds. This shift highlights that the weak point in cryptocurrency security is increasingly human, rather than technical.”
A Laundering Arms Race
Elliptic said that, while blockchain’s transparency means every asset “leaves a trace that can be analyzed, tracked, and linked,” Pyongyang is getting better at hiding its tracks.
These increasingly “complex and resourceful” cryptocurrency laundering techniques now include:
- Multiple rounds of mixing and cross-chain transactions
- Use of “obscure blockchains” where analytics firms have limited coverage
- Exploitation of “refund addresses” to redirect assets to fresh wallets
- Creation and trading of tokens issued directly by laundering networks
You have not selected any currencies to display