North Korea’s crypto hacker groups drove much of 2025’s record thefts (~$2.7B)

In 2025 criminal cyber-operations tied to North Korea were the dominant force behind global cryptocurrency heists — responsible for roughly $2.0+ billion of the year’s losses and for some of the single largest thefts on record. These state-linked actors have refined a playbook that couples high-skill cyber intrusions with sophisticated laundering networks, and their activity forced industry and governments to respond with advisories, sanctions and criminal attributions.

1) The scale of 2025’s problem — headline numbers

Multiple blockchain-intelligence firms and reporting outlets put total crypto thefts in 2025 at about $2.7 billion. Much of the press coverage and the industry data highlight that a handful of very large thefts pushed the total to that record level.
Chainalysis and other firms report that North Korea-linked actors stole roughly $2.02 billion in 2025 alone, meaning DPRK-affiliated groups accounted for the majority of losses from major service compromises that year. That figure also pushed North Korea’s cumulative haul since trackers began to roughly $6.75 billion.

These numbers matter not only because they’re large, but because they reflect a strategic shift: fewer incidents, but much larger single heists — a trend attributed to state-level resources and intentional targeting of high-value infrastructure.

2) Who are the groups linked to Pyongyang?

Public-facing cybersecurity, law-enforcement and sanctioning agencies use several names for DPRK cyber actors; private firms often map these to overlapping clusters:

Lazarus Group (a.k.a. APT38 / TraderTraitor in some gov’t reports): long-standing umbrella used in attribution for destructive espionage, financial heists and ransomware activity. US agencies and security vendors have repeatedly tied Lazarus to major crypto thefts.
BlueNoroff / Bluenoroff: historically associated with financially motivated intrusions and targeting of banks and crypto services; often treated as a Lazarus subset focused on financial operations.
Other named clusters / aliases: “Andariel,” “TraderTraitor” (used in some FBI advisories), and assorted internal labels used by private firms. Attribution names vary, but operational overlap and state control are consistent in public analyses.

3) How they steal — tactics, techniques and procedures

DPRK-linked actors have developed and blended a wide toolkit that targets both technical weaknesses and human/organizational gaps:

Targeting centralized services and bridges. Major exchange infrastructure and cross-chain bridges handle vast liquidity; compromising these systems yields outsized returns. The largest 2025 thefts targeted service-level infrastructure.
Supply-chain & insider-style infiltration. Security firms have documented campaigns where attackers impersonate IT contractors, post fake jobs, or social-engineer executives to gain privileged access — a method that lowers friction to high-value systems.
Sophisticated malware + tailored exploits. Where defenses fail, tailored tooling and zero-day exploitation are used to bypass controls, extract keys, or initiate fraudulent withdrawals. Historic Lazarus activity includes custom tooling adapted to financial targets.
Operational security in cash-out phase. Attackers route funds through many chains, mixers, bridges and intermediaries; they also reportedly work with or coerce brokers in opaque OTC markets to convert crypto to fiat. This complicates tracing and recovery.

4) Notable 2025 incidents

Bybit breach (~$1.4–$1.5 billion): law-enforcement and industry reported that a single massive compromise of a major exchange or service that year was attributed to DPRK-linked actors, making it one of the largest single crypto heists in history and a major driver of the year’s totals. The FBI issued advisories linking DPRK activity to the incident.
Other large service compromises: Chainalysis and TRM documented multiple high-value service compromises that together account for the majority of 2025’s service-related losses; private reports indicate DPRK-linked activity was a lead contributor.

(Exact incident counts and per-case attributions vary between trackers; Chainalysis focuses on blockchain evidence and behavioral patterns, while law enforcement will use additional classified signals for attribution.)

5) How stolen funds are laundered and turned into usable value

After theft, the key task is turning crypto into spendable value without triggering sanctions or seizures. Observed mechanisms include:

Tumbling and chain-hopping: mixing services and cross-chain bridges complicate tracing; funds are moved through many wallets and chains to obscure origin.
Use of OTC brokers and underground exchanges: blockchain firms observing DPRK activity note frequent use of underground brokers (sometimes in jurisdictions with weak enforcement) to swap tainted tokens for clean fiat or other assets. Some reporting points to networks of brokers in China and other regions used for cash-out.
Front companies and traditional laundering: intercepted flows suggest coordination with shell companies and bank networks to integrate proceeds — the reason sanctions and FBI bounties exist for identified launderers.

6) Attribution, government response and enforcement

Public attributions & advisories: US agencies (FBI, CISA, Treasury/OFAC) have publicly attributed previous high-profile crypto thefts to DPRK groups and maintain advisories on tactics and indicators. The FBI labeled certain activity “TraderTraitor” in at least one 2025 PSA tied to a large theft.
Sanctions & indictments: OFAC and other agencies have sanctioned groups and individuals tied to DPRK cyber activity for years; enforcement continues to broaden as trackers produce blockchain evidence.
Industry defenses: exchanges, custodians and DeFi projects accelerated security hardening, bug bounties, and KYC/AML scrutiny. But attackers are shifting to fewer, bigger attacks — a defensive challenge.

7) Why this matters — strategic and geopolitical consequences

Financing of state priorities. Multiple public reports and sanctions link stolen crypto to the regime’s ability to fund weapons and sanctioned programs — turning cybercrime into state revenue. That creates both security and diplomatic problems.
Normalization of state-backed cybercrime. When a national actor weaponizes crime for revenue, it blurs lines between espionage, crime and warfare — complicating deterrence and legal responses.
Risk to market trust. Large breaches of exchanges and bridges undermine confidence in custodial services and cross-chain infrastructure, magnifying regulatory and user backlash.

8) Recommendations

For exchanges, custodians and blockchain projects:

Harden supply-chain and insider vectors — vet contractors, restrict admin access, apply strong SSO and key-management safeguards.
Rapid, transparent incident response — proactively share IOCs (indicators of compromise) with blockchain analysts and law enforcement to reduce cash-out success.
Strengthen KYC/AML and counterparty due diligence — especially for OTC desks and broker relationships that can be exploited to launder funds.

For governments and regulators:

Target laundering conduits — sanction brokers, shell networks and facilitators whose services are repeatedly used to cash out stolen funds.
Cross-border cooperation — blockchain tracing requires rapid international collaboration (evidence sharing, simultaneous seizures) to prevent flight of assets.
Public-private intelligence sharing — incentivize faster, standardized sharing of wallet IOCs and TTPs (tactics, techniques and procedures).

9) What we still don’t know

Attribution at scale in crypto is difficult: private firms and governments may have different datasets, and DPRK actors use intermediaries that mask direct links. While blockchain analysis provides strong leads, some cash-out routes and human intermediaries remain opaque. Analysts continue to stress that figures like “$2.02 billion” are best-estimate totals based on visible on-chain flows and confirmed attribution; other losses may be unreported or unresolved.

Conclusion

In 2025 the combination of state resources, focused targeting of high-value infrastructure, and resilient laundering pipelines made DPRK-linked groups the most consequential actors in the year’s crypto crime landscape. The result is a new paradigm: a geopolitically motivated criminal economy operating over public blockchains. That reality requires coordinated technical hardening from industry and sharper, cross-border enforcement from governments — because the same tools used to innovate finance are now being repurposed to fund state activities outside the international system.