The Year of the DPRK: everything you need to know about North Korean hacker groups

The year 2025 has become a landmark year for the security of the crypto industry. Many realized the real threat posed by North Korean hacker groups. GetBlock AML Research summarizes the activities of hackers from North Korea and reveals the main schemes they use.

1. Cryptocurrency thefts have become widespread

North Korea stole approximately $2,8 billion in cryptocurrencies between January 2024 and September 2025 alone. The most high-profile case was the $1,5 billion hack of the Bybit exchange in February by a group of hackers linked to the North Korean government. Unlike ordinary cybercriminals, who attempt to conceal their tracks, North Korean participants almost openly transfer stolen funds between different cryptocurrencies and blockchains, as if they are confident that no one will stop them.

How to launder $1,5 billion worth of crypto in 5 easy steps. Lazarus Group case

Crypto exchange Bybit managed to block only $42,8 million. This is less than 3% of the total value of stolen assets

Read more

2. Money laundering schemes are expanding

Stolen funds are taking increasingly convoluted paths: special services are used to cover the trail of transactions, as well as intermediaries operating in different countries. Particularly alarming is the strengthening of North Korean ties with criminal groups in Russia and Cambodia, as well as the circumvention of sanctions through bank cards and intermediaries in Hong Kong. These schemes complicate the search for and recovery of funds, but still leave a chance to stop the operations

Visualization: Chainalysis

Cryptocurrency laundering scheme used by North Korean hackers

3. Attack methods are becoming more sophisticated

Phishing emails are still being used, but they are no longer the main focus. Hackers are increasingly attacking software providers and companies that store other people’s crypto assets. In other words, there is a shift from random thefts to targeted attacks on key infrastructure, which makes their strategy much more dangerous.

How to launder $1,5 billion worth of crypto in 5 easy steps. Lazarus Group case

Crypto exchange Bybit managed to block only $42,8 million. This is less than 3% of the total value of stolen assets

Read more

4. Working “under a false name” — a new source of income

Previously, this seemed like a minor scheme, but now it has turned into a global business. North Korean IT specialists get jobs at foreign companies under fictitious names and earn between $3500 and $10 000 per month, with the best earning up to $100 000. They work mainly from China and Russia, creating dozens of fake identities and targeting companies in important industries: artificial intelligence, blockchain, and defense technologies. Increasing attention is being paid to firms in Germany, Portugal, and the UK.

North Korean hackers hacked the creator of the Pepe meme. How it happened

The attackers released an unlimited number of Replicandy, Peplicator, Hedz, and Zogz NFT game projects

Read more

5. North Korea’s goal is not just money

The worst thing is that the stolen funds are being used to develop weapons. This money is used to purchase equipment and components for missile systems. At the same time, hackers are hunting for data on chip production, uranium processing, and missile technology. This creates a dangerous link between money theft, espionage, and military projects.

What does this mean?

North Korean cyber operations are no longer just crime for profit, but a multi-level strategy combining:

• financial theft
• technological espionage
• development of military capabilities

Countering this requires a comprehensive approach. Companies are advised to:

• strengthen the screening of IT specialists before hiring
• implement modern security systems
• monitor large transactions and suspicious operations
• conduct regular data protection audits

It is especially important to monitor cryptocurrency transactions, as North Korea is now actively targeting specific industries and regions.