DPRK Hackers Stole $2B in Crypto in 2025 Despite Fewer Attacks
Ted Hisokawa May 14, 2026 18:33
North Korean state-sponsored hackers stole $2 billion in 2025, a 51% increase year-over-year, targeting Web3 projects and exchanges.
North Korean state-sponsored hackers stole over $2 billion worth of cryptocurrency in 2025, marking a 51% increase compared to the prior year, even as the number of attacks declined, according to cybersecurity firm CrowdStrike. This underscores a shift in tactics by DPRK-affiliated threat actors, who are focusing on fewer yet higher-value targets.
Hackers linked to North Korea—primarily the infamous Lazarus Group—remain the largest nation-state threat to cryptocurrency users, CrowdStrike noted in its 2026 Financial Services Threat Landscape Report. The stolen funds, believed to be laundered to finance Pyongyang's missile and nuclear programs, represented roughly 60% of the $3.4 billion stolen globally in 2025.
Shifting Strategies, Bigger Paydays
Compared to 2024, DPRK hackers executed fewer campaigns in 2025 but achieved significantly higher returns by targeting Web3 projects, cryptocurrency exchanges, and high-value decentralized applications (dApps). CrowdStrike noted these actors exploited the anonymity of crypto transactions, allowing them to cash out stolen funds with relative ease compared to traditional financial systems.
In one notable case, the Drift Protocol decentralized exchange was infiltrated in April 2025 after North Korean operatives posed as legitimate tech workers. Over six months, they built trust with the development team, eventually deploying malware that caused $280 million in losses. This attack highlights the evolving sophistication of DPRK tactics, which now include physical infiltration, conference attendance, and long-term social engineering.
Record-Breaking Heists and a Broader Threat
North Korea's most lucrative exploits in 2025 included the Bybit exchange hack in February, which netted $1.5 billion, the largest single crypto theft to date. Combined with other operations, including the Kelp DAO hack in early 2026, North Korea-linked actors have stolen an estimated $6.75 billion in cryptocurrency since 2017, according to blockchain analytics firm TRM Labs.
In 2026, activity has continued unabated. TRM Labs reported that DPRK hackers were responsible for 76% of global crypto hack losses in the first four months of the year, amounting to $577 million. High-profile incidents include the $290 million Kelp DAO exploit in April, which targeted a governance token and staking project.
Implications for the Industry
The rise in losses despite fewer attacks signals a need for heightened vigilance across the crypto industry. Web3 projects and exchanges, often the preferred targets, must bolster their defenses against increasingly sophisticated adversaries. This includes implementing strict vetting procedures for remote hires, conducting regular security audits, and monitoring for social engineering attempts.
North Korean hackers’ success also highlights vulnerabilities in cross-chain bridges and liquidity pools, which are frequently exploited for laundering stolen funds. Methods such as chain-hopping, token swaps, and the use of mixers or decentralized exchanges allow DPRK actors to obscure stolen assets’ origins, complicating recovery efforts.
Geopolitical Connections
U.S. authorities have repeatedly linked North Korea's crypto thefts to its sanctioned military programs. In response, sanctions and forfeiture actions intensified in late 2025 and into 2026, but DPRK hackers continue to adapt. According to CrowdStrike, proceeds from these crimes are "almost certainly" funding Pyongyang’s nuclear and missile development.
For crypto investors and projects, the message is clear: cybersecurity must be a top priority. With North Korea’s growing focus on high-value targets, the stakes have never been higher.
Image source: Shutterstock.jpg)