North Korean threat actors are estimated to have stolen more than $2 billion in cryptocurrency during the first nine months of 2025, blockchain analysis firm Elliptic says.
This is an annual record for North Korean hackers, and the cumulative value of the cryptocurrency assets they have stolen to date has surpassed $6 billion.
But Elliptic notes that difficulties in attributing other attacks to North Korea and numerous incidents that remain unreported suggest that the actual stolen amount may be even higher.
“Attributing cyber thefts to North Korea is not an exact science: Elliptic and other experts use a combination of blockchain analytics, observed laundering patterns, and intelligence sources to make an attribution,” the company says.
The record-breaking amount stolen this year is largely fueled by the theft of $1.46 billion in crypto assets from the cryptocurrency exchange Bybit. According to Elliptic, North Korean hackers have been responsible for at least 33 other crypto heists this year.
“The 2025 total already dwarfs previous years and is almost triple last year’s tally, underscoring the growing scale of North Korea’s dependence on cyber-enabled theft to fund its regime,” the company notes.
In December 2023, Recorded Future estimated that threat actors associated with the Pyongyang regime had stolen a total of over $3 billion in cryptocurrency, after siphoning more than $1.7 billion in 2022 in high-profile heists such as Ronin Network ($600 million), Nomad ($190 million), Harmony ($100 million), and others.
In 2025, most of the attacks were conducted through social engineering, and not vulnerabilities in crypto infrastructure. The hackers mainly focused on cryptocurrency exchanges, although numerous high-net-worth individuals were also hit.
“As crypto prices have risen, individuals have become increasingly attractive targets, often lacking the security measures employed by businesses. Some of these individuals are also targeted due to their association with businesses holding large amounts of crypto assets, which the hackers are looking to steal,” Elliptic notes.
In response to advanced blockchain analytics and more effective tracking of illicit cryptocurrency, North Korea has been using more complex techniques to launder the stolen assets.
The hackers now rely on multiple rounds of mixing and cross-chain transactions, use obscure blockchains to hinder analysis, and purchase utility tokens of specific protocols to reduce costs. They also redirect assets to fresh wallets by exploiting “refund addresses”, and create and trade tokens issued directly by the laundering networks.
“The record-breaking $2 billion stolen this year underlines both the scale of the threat and the importance of robust blockchain analytics. North Korea may be adapting its tactics, but with advanced forensic capabilities, the crypto industry and law enforcement are well-placed to detect and trace these threats,” Elliptic notes.
Related: North Korea’s Fake Recruiters Feed Stolen Data to IT Workers
Related: New XCSSET macOS Malware Variant Hijacks Cryptocurrency Transactions
Related: North Korean Hackers Target macOS Users
Related: Achieving Positive Outcomes With Multi-Domain Cyber and Open Source Intelligence
