Global cryptocurrency theft surged to $3.41 billion over the past year, according to a new annual report from blockchain analytics firm Chainalysis. More than half of these losses are attributed to North Korea–linked hacking groups, underscoring how nation-state-backed actors have turned crypto exchanges and Web3 projects into a key funding channel.
North Korean Cryptocurrency Theft Reaches Unprecedented Levels
Chainalysis estimates that entities connected to the Democratic People’s Republic of Korea (DPRK) are responsible for at least $2.02 billion of the stolen digital assets. The report stresses that this is a conservative baseline; the true figure may be higher as attribution improves and additional wallets are linked to known threat clusters.
Even using the lower-bound estimate, DPRK-attributed theft shows an increase of more than 50% compared with the previous year, when North Korean operations netted roughly $1.3 billion. Over the last five years, Chainalysis calculates that North Korean hackers have stolen a minimum of $6.75 billion in cryptocurrency.
Multiple independent investigations, including reports from the United Nations Panel of Experts and the U.S. Treasury, have previously concluded that such funds are used not only for personal enrichment, but also to evade international sanctions and finance state programs. Cryptocurrency now forms a structural component of DPRK’s broader illicit finance ecosystem, alongside traditional smuggling and fraud.
Bybit Breach Becomes Largest Crypto Exchange Hack in History
The single most damaging event in the reporting period was the February hack of cryptocurrency exchange Bybit, which resulted in nearly $1.5 billion in stolen funds. This incident is now classified as the largest cryptocurrency heist on record by value.
Chainalysis links the intrusion to the TraderTraitor cluster, also tracked in threat intelligence sources as Jade Sleet and Slow Pisces. These operators are widely regarded as part of the broader Lazarus Group infrastructure, a long-standing DPRK advanced persistent threat (APT) collective implicated in numerous financial and espionage operations.
This single compromise accounted for more than 70% of the North Korea–attributed crypto haul over the last year, illustrating the trend toward fewer but significantly higher-value attacks targeting major centralized platforms.
Tactics of North Korean APT Groups Targeting Crypto and Web3
“Dream Job” Campaigns: Social Engineering and Targeted Malware
One of the most visible DPRK operations described by Chainalysis is the so‑called Dream Job campaign. Attackers approach employees and developers via LinkedIn, WhatsApp and other channels, posing as recruiters from global defense, aerospace, high‑tech, or chemical companies.
After building trust, the victim is sent “test assignments” or technical documentation that embeds malicious code. The report highlights several families of malware, including BURNBOOK, MISTPEN and BADCALL. Once executed, these tools provide persistent access to corporate workstations and internal networks.
Such access can be leveraged in multiple ways: data exfiltration (stealing sensitive source code, keys, and internal documents), credential harvesting for further lateral movement, and pre-positioning for future cryptocurrency theft by mapping wallet infrastructure and key management systems.
Wagemole: Covert Placement of DPRK IT Staff Inside Crypto Firms
The second major attack vector, labeled Wagemole by Chainalysis, focuses on embedding North Korean IT specialists as legitimate employees or contractors inside foreign companies, including crypto exchanges and Web3 startups.
To achieve this, threat actors rely on forged identities, fabricated résumés, and front companies such as DredSoftLabs and Metamint Studio. Once hired, these individuals can gradually obtain privileged access to critical systems: hot and warm wallets, key management systems, deployment pipelines and internal administration tools.
The report notes that the growing reliance on remote development teams and outsourced DevOps functions has created fertile ground for this tactic. Future large-scale thefts are likely to be increasingly tied to such long‑term insider compromises rather than purely external exploits.
Money Laundering: Mixers, Cross‑Chain Bridges and Asian OTC Networks
After draining funds from exchanges or DeFi protocols, DPRK-linked groups focus on laundering and obfuscating the origin of the stolen crypto. Chainalysis observes a sophisticated layering process involving cross‑chain bridges, cryptocurrency mixers, and specialized OTC (over‑the‑counter) brokers across the Asian region.
Chinese money transfer services and platforms such as Huione feature prominently in these workflows. The laundering cycle often unfolds in multiple stages: initial splitting of funds across numerous addresses, movement through mixers and bridges into different blockchains, consolidation into more liquid assets (such as stablecoins or major tokens), and eventual conversion into fiat currencies.
On average, the full laundering chain lasts about 45 days, during which assets are repeatedly moved and transformed. This multi‑hop strategy significantly complicates tracing efforts for law enforcement and compliance teams, and it indicates deep integration of DPRK operators into broader criminal networks in the Asia‑Pacific region.
Implications for Crypto Exchanges and Web3 Cybersecurity
The Chainalysis data confirms that threats to the crypto sector are evolving from isolated technical exploits to long‑running, multi‑stage operations that combine social engineering, insider access and advanced money‑laundering techniques. For exchanges, custodians and Web3 projects, this demands a shift in cybersecurity strategy.
Priority measures now include rigorous personnel and contractor screening, especially for remote developers and administrators; strict infrastructure segmentation and enforcement of the principle of least privilege; continuous monitoring of anomalous access to wallets, key stores and admin consoles; and active use of blockchain analytics to detect suspicious on‑chain activity in near real time.
Equally important is ongoing security awareness training focused on social engineering and fake recruitment approaches, as well as mature incident response and threat intelligence sharing with global investigative and analytical organizations.
The evidence presented by Chainalysis indicates that attacks on crypto exchanges and Web3 services will remain a core funding mechanism for state‑aligned threat actors. Market participants that treat DPRK APT groups as strategic, nation‑state adversaries—and invest accordingly in people, processes and technology—will be far better positioned to mitigate the financial and reputational damage from the next wave of large‑scale crypto hacks.
