Chainalysis’s latest cybersecurity report reveals an alarming surge in North Korean cryptocurrency heists, with threat actors stealing an unprecedented $1.34 billion through 47 separate attacks in 2024. This figure represents 61% of all cryptocurrency theft this year and marks a 21% increase from 2023, highlighting the increasing technical capability and persistence of state-sponsored cyber operations. The FBI Cyber Division has attributed many of these attacks to North Korean state-sponsored groups including Lazarus Group and TraderTraitor.
Unprecedented Scale of Cryptocurrency Attacks in 2024
While North Korean hackers have set a new record for their operations, the overall cryptocurrency theft landscape shows interesting patterns. The total amount stolen across all threat actors hasn’t exceeded the 2022 peak of $3.7 billion. Analysis reveals 303 security incidents in 2024, with a significant concentration (72%) occurring between January and July, indicating a strategic shift in attack timing.
Major Security Breaches and Attack Vectors
Two devastating attacks dominated the 2024 crypto theft landscape: the DMM Bitcoin exchange breach in May ($305 million) and the WazirX compromise in July ($235 million). A concerning trend emerged in the attack methodologies, with 44% of losses attributed to private key compromises, while technical vulnerability exploits accounted for only 6.3% of stolen funds. North Korean operatives increasingly pose as remote IT workers or use fake job recruitment campaigns to gain insider access.
Strategic Evolution of North Korean Cyber Operations
The dramatic evolution in North Korean hacking strategies is evident in the numbers: from 20 successful attacks totaling $660.50 million in 2023 to 47 incidents yielding $1.34 billion in 2024 — a staggering 102.88% increase. Notably, these threat actors have diversified their targeting approach, pursuing both high-value exchanges and smaller operations, with some attacks yielding as little as $10,000. Stolen funds are routinely laundered through mixers and chain-hopping before being converted to fiat currency.
Who Is at Risk
Cryptocurrency exchanges, DeFi protocols, and Web3 developers are the primary targets of North Korean state-sponsored hackers. However, individual investors with significant holdings and companies conducting cryptocurrency transactions are also targeted. Particularly vulnerable are organizations that:
- Store private keys in hot wallets connected to the internet
- Use centralized exchange accounts with weak multi-factor authentication
- Hire remote developers without thorough background checks
- Operate DeFi smart contracts without independent security audits
What Crypto Organizations and Users Should Do
- Store the majority of digital assets in hardware (cold) wallets and use multi-signature schemes for large transfers
- Enforce hardware-based MFA (FIDO2/YubiKey) on all exchange and admin accounts — avoid SMS-based 2FA
- Conduct mandatory background and identity verification for all remote developers with access to wallets or private key infrastructure
- Engage independent auditors to review smart contract code before deployment and after any major update
- Monitor on-chain activity for anomalous large transfers and integrate threat intelligence feeds from FBI advisories on North Korean crypto threats
This unprecedented surge in cryptocurrency theft necessitates immediate action from industry stakeholders. The cryptocurrency sector must prioritize cybersecurity investments and adopt proactive defense strategies to counter the evolving threats posed by sophisticated state-sponsored actors.
