North Korea-linked hackers have continued to target the cryptocurrency ecosystem in 2025, and blockchain forensics firms say the tally is already staggering. Analysts at Elliptic report that DPRK-connected actors have stolen over $2 billion in crypto this year, contributing to a multi-year pattern of state-linked thefts that now total several billion dollars. The heist against ByBit — among other incidents — illustrates how adversaries are combining technical exploits, social engineering, and increasingly sophisticated laundering techniques to move and monetize stolen funds.
This article explains what researchers have reported about the 2025 incidents, the methods attackers used, and concrete steps exchanges, custodians, and individual crypto holders should take to reduce exposure.
What the numbers tell us
Blockchain analytics firm Elliptic and other researchers have tracked numerous thefts attributed to DPRK-linked groups in 2025. The $2 billion figure reflects aggregated losses across multiple incidents and methods, including direct exchange breaches, exploitation of vulnerabilities, and high-value thefts from individual wallets. Elliptic and industry reporting indicate that some of the largest single incidents — such as the large ByBit theft earlier in the year — account for a substantial portion of the total.
Taken together with past activity, these operations show a consistent pattern: state-linked actors have built profitable, repeatable illicit pipelines that steal, launder, and cash out cryptocurrency at scale.
How the attackers are changing their playbook
Historically, DPRK-linked groups such as those security researchers associate with Lazarus have relied on large technical intrusions, exploits in blockchain bridges, and thefts from exchanges. In 2025 the pattern shows two important shifts:
- Hybrid tactics that emphasize social engineering.
Rather than relying only on software vulnerabilities, attackers are increasingly targeting people — tricking staff, contractors, or third-party vendors through tailored phishing, impersonation, or recruitment schemes. These human-targeting techniques can give attackers access to credentials, internal tools, or approval processes that enable fund transfers. - Smarter laundering across chains and services.
After theft, perpetrators use multi-chain mixing, privacy coins, decentralized exchanges (DEXs), and complex cross-chain swaps to obscure provenance. Analytics companies have improved their tracing methods, but laundering remains a persistent challenge because attackers exploit the growing diversity of chains and on-ramps.
Anatomy of a recent high-value theft
While specifics vary by case, a typical DPRK-linked theft in 2025 looks like this:
- Initial access: Through a phishing campaign or compromised vendor account rather than an unpatched server.
- Escalation: Attackers obtain API keys, withdraw permissions, or session tokens tied to hot wallets.
- Extraction: Funds are moved quickly through multiple addresses and chains to avoid detection.
- Laundering: Stolen crypto is routed through mixers, small exchanges, or DeFi platforms and swapped into privacy-focused assets or fiat rails.
- Cashing out: Final conversion relies on weakly regulated services or intermediaries that fail to detect illicit provenance.
The ByBit incident exemplified many of these elements. Researchers tracing the flows showed large transfers followed by rapid diversification into multiple chains, a hallmark of automated laundering chains designed to maximize throughput while complicating forensic analysis.
Why exchanges and custodians remain attractive targets
Exchanges and custodial services are concentrators of value and therefore lucrative targets. Attackers need only compromise a single administrative tool, a third-party plugin, or an account with withdrawal privileges to move large sums. Additionally, small operational mistakes — overly permissive key storage, unsegmented networks, inadequate vendor oversight — can allow attackers to escalate from a single user compromise to a large-scale theft.
Practical defenses for exchanges and custodians
Exchanges and custodians must assume they are being actively probed and harden systems accordingly. Key measures include:
- Strong vendor and supply-chain security: Enforce strict onboarding, continuous monitoring, and minimum security baselines for all third parties. Conduct regular audits of vendor privileges and configurations.
- Key management best practices: Use hardware security modules (HSMs) and multi-party computation (MPC) for private key operations. Separate signing from operational networks and require multi-party approval for large withdrawals.
- Zero trust for admin tooling: Limit access to administrative consoles with conditional access, short-lived credentials, session recording, and adaptive MFA.
- Anomaly detection on chain and off chain: Integrate blockchain analytics for real-time monitoring of outgoing flows and employ behavioral analytics to flag unusual admin or API activity.
- Red team and incident playbooks: Regularly simulate social engineering attacks and test incident response plans specifically focused on crypto theft scenarios and cross-chain laundering.
Practical steps for individual crypto holders
Individual investors can reduce their exposure by adopting conservative custody practices:
- Use cold wallets for long-term holdings. Move funds to hardware wallets when not actively trading.
- Limit hot wallet exposure. Keep only the minimal amount on exchanges required for trading.
- Enable strong account security. Use hardware-backed MFA, unique passwords, and withdrawal whitelists where available.
- Monitor transactions and addresses. Use block explorers and alerts from reputable services to watch for unexpected movement.
- Diversify counterparty risk. Avoid concentrating funds on a single platform, especially among lesser-known exchanges with weak compliance programs.
The role of blockchain forensics and international cooperation
Tracing stolen funds and disrupting laundering networks requires coordination among analytics firms, exchanges, and law enforcement. Firms such as Elliptic, Chainalysis, and others play a central role in attributing flows, identifying chokepoints, and supporting takedown efforts. At the same time, cross-border cooperation and consistent regulatory enforcement are critical to deny attackers the ability to cash out.
