Hackers from North Korea have managed to steal the largest amount of crypto on record this year, an analysis from Elliptic has found.
According to the UN, the rogue state uses these funds to help finance its nuclear weapons and missile development programmes. The cumulative known value of crypto stolen by the regime is now thought to be more than $6bn, although the actual figure may be even higher.
The majority of the takings this year came from a single hack on cryptocurrency exchange Bybit in February, which saw around $1.46bn stolen. Other thefts publicly attributed to North Korea in 2025 include those suffered by LND.fi, WOO X and Seedify.
Elliptic said that attributing cyber thefts to North Korea is not an exact science as it can be difficult to trace the geographic origin of hacks. The firm, which carries out data analysis on the blockchain, made its observations by tracking laundering patterns alongside additional intelligence sources.
“We are aware of many other thefts that share some of the hallmarks of North Korea-linked activity but lack sufficient evidence to be definitively attributed,” Elliptic said. “Other thefts are likely unreported and remain unknown.”
Last year, a UN report estimated that approximately 50% of the foreign currency income used to fund North Korea’s weapons programmes was acquired through cyber attacks. Due to the necessity to source many parts of its nuclear programme from abroad, North Korea is reliant on foreign currency to carry out transactions. But severe sanctions have been placed on the regime that restrict its ability to carry out legal financial transactions and exports, or access the global banking system.
Elliptic said the amount stolen in 2025 already dwarfs previous years and is almost triple last year’s tally. By comparison, the previous record year was 2022, when $1.35bn was stolen in attacks against crypto services such as Ronin Network and Harmony Bridge.
While the majority of losses have been suffered by crypto exchanges, an increasing number of victims are also high-net-worth individuals. Some individuals are thought to be targeted due to their association with businesses holding large amounts of crypto.
The majority of the hacks in 2025 have been perpetrated through social engineering attacks, where hackers deceive or manipulate individuals in order to gain access to cryptocurrency. This marks a shift from earlier attacks, where in many cases technical flaws in crypto infrastructure were exploited to steal funds.
In March, it emerged that North Korean hackers had successfully infiltrated the Google Play app store to upload spyware masquerading as utility apps.
Be the first to comment