What began as sporadic cybercrime has turned into a highly industrialized revenue machine. In 2025, crypto-related hacking linked to the Democratic People’s Republic of Korea crossed a new threshold, transforming digital asset theft into one of the regime’s most reliable financial pipelines.

Data from Chainalysis, shared with TheBlock shows that North Korea-linked operators extracted more than $2.17 billion in crypto in just the first half of the year, already eclipsing the entirety of 2024. The pace and scale point to a system that is no longer opportunistic, but strategic.

Key Takeaways

• North Korea-linked hackers stole over $2.17 billion in crypto in the first half of 2025 alone.

• Laundering tactics have evolved into fast, multi-chain operations designed to overwhelm tracking efforts.

• Industry-wide coordination, not just sanctions, is seen as critical to slowing future attacks. 

A record-breaking year for state-backed crypto theft

The most dramatic episode came in February, when attackers drained nearly $1.5 billion in Ether from Bybit, setting a new benchmark for the largest single crypto theft on record. That breach was not an outlier. It was followed by a steady stream of incidents, including a multimillion-dollar exploit at Upbit, reinforcing the view that North Korea’s cyber campaign is sustained and coordinated.

These operations are widely attributed to state-aligned groups such as Lazarus Group, which Western intelligence agencies have long linked to Pyongyang’s weapons programs. With sanctions tightening traditional funding routes, crypto has become a preferred alternative.

From hacks to ecosystems

What sets 2025 apart is not just the amount stolen, but how efficiently funds are moved and concealed. According to Chainalysis researchers, DPRK-linked actors now deploy multiple laundering methods simultaneously, rapidly splitting funds across mixers, decentralized exchanges, bridges, OTC brokers, and token swaps to overwhelm tracking efforts.

This multi-channel approach shortens response times for investigators and makes recovery increasingly difficult. Rather than relying on a single laundering path, funds are scattered and recombined across chains, often within hours of an attack.

In parallel, North Korean operators have expanded beyond direct hacks. Infiltration of tech firms has become a key tactic, with operatives posing as remote IT workers to gain access to internal systems, wallets, or sensitive infrastructure. These efforts have extended into blockchain startups, AI firms, and even defense-linked contractors.

Why sanctions are not enough

Industry experts warn that enforcement tools alone are failing to keep pace. Andrew Fierman has argued that sanctions, while important, do little to disrupt the operational mechanics of these cyber networks without coordinated action from exchanges, analytics firms, and law enforcement.

The expectation across the security community is that crypto theft will remain a core revenue stream for Pyongyang. Emerging AI tools may further enhance these capabilities by enabling more convincing fake identities and automating laundering strategies at scale.

Closing the gaps

Defensive measures are shifting toward prevention rather than recovery. Enhanced due diligence, including mandatory video verification, stricter identity checks, IP monitoring, and tighter controls on crypto-based payments, is increasingly viewed as one of the few effective ways to block North Korean-linked operatives before damage is done.

Even so, experts acknowledge that complete prevention is unrealistic. The most effective deterrent, they argue, lies in rapid information sharing and coordinated response frameworks that reduce the window of opportunity for attackers.

As crypto adoption expands globally, North Korea’s cyber campaign highlights a stark reality: digital assets are now firmly embedded in geopolitical conflict, and the battleground is evolving faster than regulation can follow.