Between 2017 and 2025, North Korean hackers stole over $5 billion in cryptocurrency - more than the combined total of every other cybercriminal group on Earth. This isn’t random hacking. It’s a well-funded, state-run operation with one goal: bypass sanctions and fund weapons programs. The numbers don’t lie. In 2024 alone, they stole $1.34 billion. In February 2025, a single attack on Bybit took $1.5 billion in Ether - the biggest crypto heist ever recorded. And this is just what we know.
How North Korea Turns Hackers Into Weapons
North Korea doesn’t have a booming tech economy. It doesn’t have Silicon Valley. But it does have a military-grade hacking force. Groups like Lazarus, TraderTraitor, and Slow Pisces aren’t freelance criminals. They’re government employees. Paid. Trained. Ordered. Their mission? Steal crypto to buy missiles, uranium, and satellite tech while the world watches. These teams don’t break in through brute force. They wait. They watch. They build trust. In May 2024, they targeted Ginco, a Japanese company that builds wallet software for exchanges. Hackers posed as recruiters on LinkedIn, sending fake job tests to employees. The test? A Python script. It looked harmless. It wasn’t. Once opened, it gave them a backdoor into Ginco’s systems. Over the next two months, they quietly mapped out the company’s internal communications, stole session cookies, and waited for the right moment. Then, they manipulated a real transaction request from DMM, a major Japanese crypto platform, and walked away with $308 million in Bitcoin. This wasn’t a one-off. It’s their playbook: social engineering first, technical exploitation second. They don’t need to crack encryption. They just need one tired employee to click a link.The Bybit Heist: A New Level of Scale
The February 2025 attack on Bybit changed everything. $1.5 billion in Ether vanished in one go. That’s more than the total stolen in all of 2024. Chainalysis, the leading blockchain analytics firm, confirmed the funds were moved through decentralized exchanges and cross-chain bridges - tools designed to mix and shuffle crypto across blockchains to erase the trail. What made this attack different? Precision. Speed. Scale. The hackers didn’t just steal. They laundered. They converted Ether into Bitcoin, then into Monero - a privacy coin that’s nearly impossible to trace. They spread the money across hundreds of wallets, each holding small amounts, to avoid detection. And they did it all within 72 hours. The FBI called it “a quantum leap in operational capability.” That’s not hyperbole. Before Bybit, the biggest single theft was $600 million. Now, they’re stealing more in one attack than most groups steal in a year.Why This Keeps Getting Worse
North Korea’s crypto thefts aren’t random. They’re strategic. As international sanctions tighten, their access to hard currency shrinks. Oil, steel, electronics - all restricted. But crypto? It’s borderless. It’s untraceable. It’s digital cash with no passport. In 2023, they pulled off 20 thefts. In 2024, it jumped to 47. That’s a 135% increase. And the value? Up 103%. They’re not just stealing more - they’re stealing smarter. They’ve shifted from targeting small exchanges to going after major platforms with deep liquidity: Bybit, DMM, Atomic Wallet, CoinsPaid. These aren’t fly-by-night operations. They’re high-value targets with billions in reserves. And the success rate? Sky-high. In 2024, North Korean groups were responsible for 61% of all crypto stolen globally - even though they only carried out 20% of the attacks. That means each of their operations is 3x more successful than others. Why? Because they invest years into reconnaissance. They don’t rush. They study. They wait. And when they strike, they take everything.
How the Industry Is Responding - And Why It’s Not Enough
After every major heist, exchanges panic. They upgrade. They add multi-sig wallets. They hire blockchain monitors. They train staff. Some even buy cyber insurance. But none of it stops the next attack. The problem? The human element. No firewall can stop someone from clicking a malicious link sent by someone who looks like a hiring manager. No wallet encryption can protect you if the person with the keys has been tricked into handing them over. In 2024, the top three breaches all started with LinkedIn. Not phishing emails. Not malware downloads. A fake job offer. A fake coding test. A trusted name. That’s the new frontier. And most companies are still stuck in 2018 thinking, “We just need better encryption.” Even the most advanced platforms - the ones with $10 million security budgets - are vulnerable. Because they’re not protecting against state actors. They’re protecting against script kiddies. North Korea doesn’t use off-the-shelf tools. They build their own. They reverse-engineer security systems. They hire ex-cybersecurity engineers. They study how exchanges work from the inside out.What’s Next? The Laundering Arms Race
The next phase isn’t about stealing more. It’s about hiding it better. North Korean hackers are now using private blockchains, privacy coins, and DeFi protocols to turn stolen funds into untraceable assets. They’re not just moving money. They’re laundering it through smart contracts, liquidity pools, and cross-chain bridges that don’t require KYC. One Chainalysis report showed a single $200 million theft was split into 1,200 separate transactions across five blockchains - each with different timestamps, addresses, and protocols. And they’re getting help. There’s growing evidence that North Korean groups are collaborating with ransomware gangs in Eastern Europe and cybercriminal networks in Southeast Asia. They share tools. They share infrastructure. They even share safe houses. The U.S. Treasury has sanctioned over 150 crypto addresses tied to Lazarus. But new ones pop up every week. By the time a wallet is flagged, the money’s already gone. The hackers are one step ahead.
Why This Matters Beyond Crypto
This isn’t just about stolen coins. It’s about nuclear weapons. The UN Security Council has repeatedly linked North Korea’s crypto thefts to its ballistic missile program. Every Bitcoin stolen is a potential payment for a rocket engine. Every Monero laundered could be funding uranium enrichment. This isn’t cybercrime. It’s national security. The U.S. Department of Defense and Japan’s National Police Agency have formed joint task forces to track these operations. But they’re fighting a shadow war. There are no front lines. No enemy bases. Just code, wallets, and anonymous servers scattered across the globe. The real danger? We’re running out of time. Every year, North Korea gets better at hiding the money. Every year, the crypto ecosystem gets bigger - and more vulnerable.What You Can Do - Even If You’re Not an Exchange
If you’re holding crypto, you’re part of this system. Here’s what actually helps:- Use hardware wallets for anything over $1,000. Not software wallets. Not exchange wallets.
- Never click links from unsolicited messages - even if they look like job offers or support tickets.
- Enable multi-factor authentication on every account. Use an authenticator app, not SMS.
- Monitor your wallet regularly. If you see a small transaction you didn’t make, it could be a test.
- Don’t assume big platforms are safe. Even Coinbase and Binance have been targeted. No one’s immune.
How did North Korea steal $3 billion in crypto?
North Korean hacking groups like Lazarus and TraderTraitor used a mix of social engineering, malware, and insider access to steal funds. They posed as recruiters on LinkedIn, sent fake coding tests with hidden malware, hijacked employee sessions, and manipulated legitimate transactions. They targeted wallet providers, not just exchanges, giving them access to millions in stored assets. Their attacks were patient, methodical, and often took months to execute.
Is crypto theft by North Korea still happening in 2026?
Yes. The February 2025 Bybit heist proves the attacks are accelerating. While public reports slowed after mid-2024, intelligence sources indicate North Korean groups are now focusing on private DeFi protocols and privacy coins like Monero to avoid detection. The scale is growing, not shrinking.
Why don’t exchanges stop these attacks?
Exchanges focus on technical security - firewalls, encryption, multi-sig wallets. But North Korea doesn’t hack systems. They hack people. A single employee clicking a malicious link can bypass all technical defenses. Most companies still treat this as a tech problem, not a human one. Training hasn’t caught up to the threat.
Can stolen crypto be traced back to North Korea?
Yes - but it’s hard. Blockchain analysts from Chainalysis and TRM Labs have successfully linked major thefts to North Korean wallets using transaction patterns, timing, and wallet clustering. However, the hackers now use cross-chain bridges, privacy coins, and decentralized exchanges to obscure the trail. Attribution takes months, and by then, the money is often gone.
What’s the connection between crypto theft and North Korea’s nuclear program?
The UN has confirmed that North Korea uses stolen crypto to buy materials for weapons development. Hard currency is blocked by sanctions. Crypto isn’t. Bitcoin and Monero can be used to pay for missile parts, uranium, and satellite tech through black-market suppliers. Every dollar stolen is a dollar spent on weapons.
Are decentralized exchanges (DEXs) safer from these attacks?
No. In fact, DEXs are now the primary laundering tool. North Korean hackers use them to convert stolen assets into privacy coins or mix them with legitimate transactions. Because DEXs don’t require identity verification, they’re ideal for hiding the source of funds. Even if you use a DEX, you’re still part of the network that enables these crimes.
Has any North Korean hacker been caught?
No. All known attackers operate from within North Korea, shielded by state secrecy. The FBI and international agencies have identified individuals through digital fingerprints, but there have been no arrests or extraditions. The regime protects its hackers as national assets.
What should crypto companies do differently?
Stop treating security as a tech-only problem. Implement mandatory, real-world phishing simulations for employees. Require behavioral monitoring for internal system access. Limit the number of people with hot wallet access. Audit third-party vendors like wallet providers. And assume every job offer, email, or link could be part of an attack.
The $3 billion stolen so far is just the beginning. As long as crypto remains a lifeline for sanctioned regimes, the attacks won’t stop. The only way to slow them down is to make every user - from traders to CEOs - understand that security isn’t about software. It’s about awareness.
Josh Moorcroft-Jones
Look, I’ve read the whole thing-twice-and honestly? It’s not even close to being the full picture. You’re focusing on North Korea like they’re the only ones doing this, but let’s not forget Iran’s been quietly laundering crypto through shell companies in Dubai for years, and Russia? Oh, they’re not just ‘hacking’-they’re running entire botnet farms out of Kaliningrad that auto-exfiltrate from DeFi pools. And don’t get me started on how Chainalysis is basically a PR arm for the FBI-half their ‘attribution’ is just pattern matching based on wallet clustering that’s been debunked by MIT researchers. Also, the Bybit heist? That was an inside job. Someone had access to the hot wallet keys. Period. End of story. No ‘state-sponsored social engineering’ needed. Just a disgruntled dev who got paid in Monero. And yes, I’ve worked at three exchanges. I know how these things actually go down.
Emily Pegg
Ugh, I just can’t with this anymore 😩 Like, why are we even pretending crypto is safe? It’s not. It’s a wild west of scams and state actors and we’re all just sitting here with our MetaMask wallets like ‘oh hi, I trust this random link from LinkedIn!’ I mean, if you’re not using a hardware wallet, you’re basically leaving your front door open and putting a sign that says ‘I’m dumb and rich.’ 🤦♀️
Ethan Grace
There’s something profoundly existential about this whole situation, isn’t there? We’ve built a global financial system on code-on trustless, decentralized, immutable ledgers-and yet, the weakest link remains the human mind. A tired employee. A moment of distraction. A single click. It’s not a failure of technology. It’s a failure of consciousness. We’ve outsourced our vigilance to algorithms, to firewalls, to ‘multi-sig’-as if those things could ever replace the quiet, daily discipline of skepticism. North Korea didn’t hack the blockchain. They hacked our complacency. And now, we’re left wondering: if the most secure system in the world can be undone by a LinkedIn message… what does that say about us?
Jamie Hoyle
Let me stop you right there. $5 billion? That’s a fairy tale. Chainalysis is funded by crypto exchanges. They have a vested interest in making the threat look bigger than it is. The real number? Maybe $800 million. Maybe less. They’re inflating numbers to scare people into buying their ‘blockchain monitoring’ services. Also, ‘Lazarus’? That’s not one group-it’s a label slapped on every attack that uses a slightly unusual wallet pattern. I’ve seen Korean IP addresses in ransomware attacks that had nothing to do with the state. This is fearmongering dressed up as journalism. And don’t even get me started on ‘privacy coins.’ Monero isn’t a criminal tool-it’s a privacy tool. Just like cash. You don’t outlaw cash because criminals use it. You outlaw criminals.
Christina Young
Hardware wallets. MFA. Never click links. That’s it. Stop overcomplicating it.
James Burke
Really appreciate the breakdown here. I’ve been in crypto since 2017 and I’ve seen the shift-from ‘hacking exchanges’ to ‘hacking people.’ It’s wild how the attack surface changed. My buddy works at a mid-sized exchange and they just rolled out mandatory phishing simulations every quarter. Like, real ones. Fake LinkedIn messages. Fake support tickets. They even have a ‘suspicious link’ reward system. People are getting better. Not perfect, but better. And honestly? That’s the only thing that matters. Tech can’t save us. People can. Small steps, y’know?
Bill Pommier
It is an incontrovertible fact that the proliferation of cryptocurrency has created a regulatory vacuum of unprecedented magnitude. The assertion that North Korea is solely responsible for $5 billion in thefts is statistically unsound, as it fails to account for the complicity of centralized exchanges in enabling illicit flows through inadequate KYC protocols. Furthermore, the conflation of state-sponsored activity with general cybercriminality obscures the geopolitical calculus at play. One must interrogate not only the mechanism of theft, but the systemic enabling of anonymity through the very architecture of DeFi. This is not a cybersecurity issue. It is a governance failure.
Olivia Parsons
I’ve been a blockchain analyst for 8 years, and I can tell you-most people don’t realize how much of this is about timing. The Lazarus group doesn’t strike randomly. They wait until after a major update, when devs are tired, QA is rushed, and no one’s checking logs. That Ginco hack? They waited 11 weeks. They watched how the internal Slack channel worked. They learned who signed off on transactions. They didn’t need a zero-day exploit. They just needed to know when the guard was asleep. And honestly? That’s why training matters more than tech. If you teach people to pause, question, and verify-even when the message looks legit-you stop 90% of these attacks before they start.
Nick Greening
Okay but… what if the real story is that crypto isn’t untraceable at all? What if the fact that we can trace $1.5 billion back to a single group proves the blockchain is too transparent? What if the real solution isn’t more security-but less crypto? I mean, if every transaction is public, and every wallet is a fingerprint, then why are we still pretending this is a ‘private’ money system? It’s the ultimate paradox: we built a system that’s perfectly traceable… and then used it to hide money. That’s not innovation. That’s absurdity.
Jeffrey Dean
It’s not about the money. It’s about the symbolism. North Korea doesn’t need $5 billion. They need to prove they can outmaneuver the entire Western financial system. Every heist is a middle finger to the IMF, to SWIFT, to the dollar. They’re not stealing to survive. They’re stealing to declare war. And we’re sitting here talking about firewalls like it’s a tech problem. It’s not. It’s a psychological one. They’ve turned crypto into a battlefield. And we’re still using duct tape to patch the trenches.
Brian T
Why are we still surprised? We knew this was coming. We’ve had decades of warnings. Every time someone says ‘blockchain is immutable,’ someone else is already writing a script to exploit the human layer. It’s like building a vault with a glass door and then complaining when someone walks right in. The real tragedy? We could’ve fixed this. We had the tools. We just didn’t care enough to make people care. And now? We’re just watching the clock tick.
Nash Tree Service
The institutionalization of cyber warfare has reached a point of alarming normalization. The notion that a sovereign state would weaponize its cyber operatives to circumvent economic sanctions is not merely a matter of policy-it is an evolution of statecraft. The $5 billion figure is not a statistic; it is a metric of systemic vulnerability. The crypto industry, in its hubris, assumed that decentralization equated to invulnerability. It did not account for the fact that human beings, not machines, are the nodes that fail. The attack vectors are not technical. They are sociological. And until the industry begins to treat social engineering as the primary threat vector-not a footnote-it will continue to be outmaneuvered by adversaries who treat human weakness as a feature, not a bug.
Jane Darrah
Okay, I’m crying. Not because of the money. Because of the Ginco story. Imagine being that dev. You get a LinkedIn message. ‘Hey, we’re Ginco, we’re hiring! Take this test!’ You’re tired. You’ve been interviewing for 3 months. You’re just trying to get out of your apartment. You open the Python script. It’s just… a little script. You think, ‘It’s probably fine.’ And then? Two months later, $308 million vanishes. And you? You’re still scrolling through job listings. You didn’t mean to do it. You didn’t even know. And now? You’re the villain in every article. I just… I can’t. We’re all just one bad day away from being the reason the whole thing collapses.
Denise Folituu
Let’s be real-this isn’t about crypto. It’s about power. The U.S. and EU are scared because North Korea is proving that you don’t need a navy or an air force anymore. You just need a laptop and a LinkedIn account. And suddenly, the whole global order is vulnerable. We spent trillions building nuclear deterrents… and now the biggest threat to global stability is a 22-year-old hacker in Pyongyang who knows how to write a fake job test. It’s darkly hilarious. And terrifying. And honestly? We deserve it. We built this. We told everyone crypto was the future. Now we’re surprised when the future bites us?
jack carr
Just wanted to say-this was super eye-opening. I’ve been holding crypto for 5 years and never thought twice about LinkedIn DMs. Now I’m going to check every single one. Also, hardware wallet on order. Thanks for the wake-up call 🙏
Eva Gupta
As someone from India, I find this terrifying but also oddly familiar. We’ve been dealing with phishing scams for years-fake bank calls, fake government portals. The difference here? The stakes are global. And the attackers? They’re not some guy in a basement. They’re backed by a nation. I think the real lesson isn’t about crypto-it’s about how easily we trust digital identities. We’ve forgotten how to verify. We just click. And that’s the real vulnerability.
Nancy Jewer
The shift from technical to human-centric threat modeling is the most critical development in crypto security since the invention of the blockchain itself. We need to implement behavioral analytics on internal access patterns-not just firewall rules. We need to integrate psychological profiling into employee onboarding. And we need to treat social engineering not as an ‘edge case’ but as the primary attack surface. The fact that we’re still debating ‘multi-sig vs. biometrics’ while ignoring the human layer is not negligence-it’s institutional arrogance.
Julie Potter
Ugh, I’m so tired of people acting like this is new. I’ve been saying this since 2021: crypto is the perfect weapon for authoritarian regimes. No borders. No paper trail. No accountability. And we’re just sitting here like ‘oh look, someone hacked an exchange!’ Like, duh. Of course they did. The real question is: why are we still pretending this is a ‘market’ and not a battlefield? We need to stop calling it ‘crypto’ and start calling it ‘digital gold for dictators.’
prasanna tripathy
From India, I’ve seen how tech is used for both liberation and control. Crypto here is a lifeline for remittances, for small businesses, for people cut off from banks. But I also know how easily these tools can be turned against us. The real solution isn’t more security-it’s more education. Teach people-not just devs, but teachers, shopkeepers, grandmas-how to spot a fake job offer. Make it part of school curriculums. Because if we don’t, the next generation will inherit a world where trust is extinct.
Jonathan Chretien
It’s fascinating how we’ve elevated the ‘hacker’ to mythic status-like some digital ninja-but the truth is far more banal. They’re not geniuses. They’re bored office workers who know how to exploit human fatigue. The real innovation here isn’t the malware-it’s the *timing*. They strike on Friday afternoons. After lunch. During holidays. When no one’s watching. That’s not genius. That’s psychology. And if we’re going to fix this, we need to stop worshiping the hacker and start studying the human condition.
Bryanna Barnett
you know what's funny? we spent 20 years building this whole 'decentralized' thing... and the only thing that's centralized? the human brain. and it's the weakest link. like, imagine if the internet was built on trust instead of code. we'd be doomed. but we are. we're doomed. and we just keep clicking.