North Korean hackers stole $2 billion in cryptocurrency

Key points:

• Analytics company Elliptic reported that hackers linked to the North Korean government stole over $2 billion in cryptocurrency in 2025.
• Most of the amount came from the hack of the Bybit exchange, where the attackers withdrew $1,46 billion.
• Experts note that hackers are increasingly using social engineering and complex laundering schemes to cover up their crimes.

According to analytics company Elliptic, hackers working for the North Korean government have stolen more than $2 billion in cryptocurrency since the beginning of the year. Elliptic published a report on its blog with a new estimate, which is the “largest annual total on record.” The estimate is based on an analysis of more than 30 hacks this year.

Experts say the amount has nearly tripled compared to 2024 and significantly exceeded the previous record of $1,35 billion set in 2022. At that time, the main damage was caused by attacks on the Ronin Network and Harmony Bridge. Elliptic clarified:

“We are aware of many other thefts that share some of the hallmarks of North Korea-linked activity but lack sufficient evidence to be definitively attributed. Other thefts are likely unreported and remain unknown.”

Source: Elliptic

Most of the record amount stolen attributed to North Korean hackers in 2025 was linked to the Bybit hack in February, when hackers stole $1,46 billion.

Six months after the $1,5 billion Bybit hack. How the incident changed the industry

North Korean hackers behind the Bybit hack had to invent new ways to launder cryptocurrency because they found themselves in a situation unique to the industry

Read more

Other confirmed incidents include attacks on LND.fi, WOO X, Seedify, and the Taiwanese exchange BitoPro, from which Lazarus withdrew $11 million.

Lazarus Group suspected of the largest hack worth $22,8 million

The first theories appeared in the OFSI report, but the regulator did not disclose the sources of the information

Read more

Features of the hacks

Elliptic notes that in 2025, hackers changed their approach: instead of attacking DeFi infrastructure, they increasingly targeted the accounts of wealthy users and exchange employees. Their main weapon is social engineering, which is gradually replacing the exploitation of technical vulnerabilities.

Money laundering strategies have also evolved under pressure from regulators, blockchain analysis companies, and law enforcement agencies.

Attackers are using increasingly sophisticated tax evasion tactics, including multiple mixing and cross-chain transfers, the use of little-known blockchains, the purchase of utility tokens, the use of refund addresses, or the use of custom tokens issued by money laundering networks.

Despite this, Elliptic emphasizes that blockchain transparency still helps law enforcement agencies track stolen funds and identify participants in schemes.