Blockchain analytics firm Elliptic estimates that North Korea–linked threat actors stole more than $2 billion in cryptocurrency during the first nine months of 2025—an all-time high. Cumulative, confirmed losses attributed to DPRK operators have now surpassed $6 billion. As noted in multiple United Nations and U.S. government reports, proceeds from these operations are believed to support North Korea’s weapons programs.
Scale and trajectory of DPRK crypto attacks
The 2025 tally is nearly three times higher than 2024 levels and exceeds the prior annual record of $1.35 billion set in 2022, a year marked by major compromises such as the Ronin Network bridge and Harmony’s cross-chain bridge. Elliptic stresses that its figure is conservative: some incidents remain undetected or insufficiently corroborated for final attribution.
Major 2025 incidents driving losses
Bybit breach underscores centralized exchange concentration risk
The year’s largest single event was the February 2025 compromise of Bybit, with about $1.46 billion siphoned. While technical specifics have not been fully disclosed, the incident highlights systemic risks posed by asset concentration on centralized platforms and the need for strong private key governance, segregation of duties, and rigor in withdrawal workflows.
Broader campaign activity across infrastructure and users
Elliptic links roughly 30 theft incidents in 2025 to DPRK-aligned groups. Notable cases include attacks on LND.fi, WOO X, Seedify, and Taiwan-based exchange BitoPro, where the Lazarus Group reportedly stole about $11 million. The victim set is expanding from smart contracts and bridges to centralized service providers and high-balance individuals.
Tactics shift: from DeFi exploits to social engineering
Attackers are increasingly prioritizing social engineering over pure protocol exploits. Campaigns target employees at crypto firms and private holders with sizable balances through phishing, fake job offers, malicious “investment” files, and workstation compromises. This approach reduces reliance on rare code-level vulnerabilities and weaponizes the human factor as the primary intrusion vector.
Laundering evolution: mixers, cross-chain mobility, and low-visibility networks
Elliptic observes multi-stage laundering pipelines involving sequential use of multiple mixers, aggressive cross-chain transfers, and movement to less-trafficked blockchains. Threat actors purchase utility tokens to obfuscate flows, exploit “refund addresses,” and mint custom tokens as part of layering. Following sanctions against Blender (2022), Tornado Cash (2022), and Sinbad (2023) by the U.S. Treasury’s OFAC, adversaries are fragmenting cashouts and blending illicit flows with legitimate services to frustrate tracing.
Risk mitigation for exchanges, DeFi projects, and investors
For exchanges and custodians, priority controls include strong key management and segregation, MPC wallets, multi-person and risk-based withdrawal approvals, allowlists, and anomaly-based withdrawal monitoring. Integrating on-chain analytics and sanctions screening into transaction monitoring, along with regular red-team exercises and incident response drills, materially raises the bar for attackers.
DeFi protocols should emphasize third-party audits, formal verification where feasible, bridge caps and withdrawal rate limits, and circuit breakers with clear, pre-approved restart procedures. Privileged operations must be protected by time locks and community-visible governance to limit blast radius.
Private investors can reduce exposure to social engineering by favoring hardware wallets and cold storage, verifying domains and contract addresses before signing, avoiding untrusted software, segregating “cold” and operational devices, and treating unexpected “refunds” or “airdrops” as potential triggers for wallet drainers.
The record 2025 losses point to well-resourced DPRK operators and ongoing weaknesses across crypto infrastructure and user practices. Sustained progress depends on disciplined key governance, workforce security awareness, proactive on-chain monitoring, and close coordination with law enforcement and blockchain analytics providers. Regularly updating threat models and sharing indicators of compromise across the ecosystem will help defenders stay ahead of evolving tactics.
