North Korean Hackers Target Crypto Firms with PylangGhost Malware, Fueling Record $2.1B in H1 2025 Thefts

According to @zachxbt, North Korean hackers are deploying a new Python-based malware called PylangGhost, disguised in fake job applications from major crypto firms like Coinbase and Uniswap to steal wallet credentials. A report from Cisco Talos details that the malware targets crypto professionals on Windows systems, aiming to compromise wallets such as MetaMask and Phantom. This activity is part of a larger, alarming trend highlighted by a TRM Labs report, which found that a record $2.1 billion was stolen from crypto platforms in the first half of 2025. North Korean-linked groups are reportedly responsible for $1.6 billion of these losses, primarily due to the historic $1.5 billion Bybit hack. The analysis indicates a strategic shift in attack vectors, with over 80% of stolen funds coming from infrastructure-level breaches like private key theft, which are proving far more profitable than DeFi exploits. Despite these significant security threats, market data shows resilience, with Ethereum (ETH) trading around $2,599.45, up over 6.3% in 24 hours, and Chainlink (LINK) at $13.81, up over 5.8%.
SourceAnalysis
The cryptocurrency market is currently navigating a complex landscape, balancing significant technological risks against bullish short-term price momentum. A stark reminder of the persistent threats facing the industry comes from a recent report detailing a sophisticated malware campaign orchestrated by a North Korean hacking group. According to security researchers at Cisco Talos, the group, known as Famous Chollima, is targeting professionals in the crypto space with a new Python-based remote access trojan (RAT) named PylangGhost. The attack vector is deceptively simple: threat actors impersonate major crypto firms like Coinbase and Uniswap, luring applicants through fake career portals. Victims are then tricked into running a command that installs the malware, which is designed to steal credentials, session cookies, and wallet data from over 80 browser extensions, including popular wallets like MetaMask and Phantom. This highlights a critical operational risk for traders and developers; personal security hygiene is no longer just a best practice but a fundamental necessity to protect assets.
Record-Breaking Thefts Underscore Systemic Risk
The scale of these threats is staggering and represents a significant headwind for institutional adoption. A report from TRM Labs published Friday revealed that a record-breaking $2.1 billion was stolen in hacks and exploits in the first half of 2025 alone. This figure not only surpasses the previous high from the first half of 2022 but also indicates an alarming escalation in the capabilities of nation-state actors. The report attributes a shocking 70%, or $1.6 billion, of these stolen funds to North Korean-linked groups. The single largest incident, the $1.5 billion Bybit hack in February, has skewed the average theft size to $30 million, double the previous year's level. This trend underscores a pivotal shift in attack vectors. Over 80% of stolen funds now originate from infrastructure-level breaches, such as private key theft and social engineering, which are proving far more lucrative than the smart contract exploits that dominated previous years. For traders, this means the security of the exchanges and platforms they use is more critical than ever, as platform-level failures now pose the greatest financial risk.
Market Resilience in the Face of Security Threats
Despite the grim security news, the digital asset market has demonstrated remarkable resilience, with key assets posting significant gains. Ethereum (ETH) has been a standout performer, with the ETH/USDT pair surging 6.28% to trade at $2,598.47. The asset carved out a daily range between a low of $2,432.82 and a high of $2,615.26, indicating strong buying pressure. This upward momentum suggests traders are currently prioritizing other market catalysts over the long-term security concerns. The immediate resistance for ETH sits at the 24-hour high around $2,615, while the former resistance in the low $2,400s now acts as a key support level. A decisive break above $2,620 could signal a continuation of the uptrend, targeting higher resistance levels.
Further analysis of trading pairs reveals a broader market strength. The ETH/BTC ratio has climbed 3.55% to 0.02358, signifying that Ethereum is currently outperforming Bitcoin. This is a crucial metric for portfolio allocation, suggesting that capital is rotating into ETH and other altcoins at a faster pace. Chainlink (LINK) has mirrored this strength, with the LINK/USDT pair climbing 5.82% to $13.81. Trading volume for LINK has been robust, and the asset is pushing against its daily high of $13.82. This synchronized rally in major altcoins like ETH and LINK suggests a risk-on sentiment is prevailing in the short term. However, traders must remain vigilant. The escalating infrastructure risks mean that a single, major security breach at a prominent exchange or DeFi protocol could swiftly erase these gains. Therefore, employing stop-loss orders and diversifying assets across multiple secure, self-custodial wallets remains a prudent strategy to mitigate the ever-present counterparty and security risks highlighted by recent intelligence reports.
ZachXBT
@zachxbtZachXBT is an Pseudonymous independent on-chain sleuth who is popular on revealing bad actors and scams in the crypto space