Threat actors with ties to the Democratic People’s Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December.
The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole $1.3 billion, according to Chainalysis’ Crypto Crime Report shared with The Hacker News.
“This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises,” the blockchain intelligence company said. “Overall, 2025’s numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion.”
The February compromise of cryptocurrency exchange Bybit alone is responsible for $1.5 billion of the $2.02 billion plundered by North Korea. The attack was attributed to a threat cluster known as TraderTraitor (aka Jade Sleet and Slow Pisces). An analysis published by Hudson Rock earlier this month linked a machine infected with Lumma Stealer to infrastructure associated with the Bybit hack based on the presence of the email address “trevorgreer9312@gmail[.]com.”
The cryptocurrency thefts are part of a broader series of attacks conducted by the North Korea-backed hacking group called Lazarus Group over the past decade. The adversary is also believed to be involved in the theft of $36 million worth of cryptocurrency from South Korea’s largest cryptocurrency exchange, Upbit, last month.
Lazarus Group is affiliated with Pyongyang’s Reconnaissance General Bureau (RGB). It’s estimated to have siphoned no less than $200 million from over 25 cryptocurrency heists between 2020 and 2023.
The Lazarus Group is one of the most prolific hacking groups that also has a track record of orchestrating a long-running campaign referred to as Operation Dream Job, in which prospective employees working in defense, manufacturing, chemical, aerospace, and technology sectors are approached via LinkedIn or WhatsApp with lucrative job opportunities to trick them into downloading and running malware such as BURNBOOK, MISTPEN, and BADCALL, the last of which also comes in a Linux version.
The end goal of these efforts is two-pronged: to collect sensitive data and generate illicit revenue for the regime in violation of international sanctions imposed on the country.
A second approach adopted by North Korean threat actors is to embed information technology (IT) workers inside companies across the world under false pretenses, either in an individual capacity or through front companies like DredSoftLabs and Metamint Studio that are set up for this purpose. This also includes gaining privileged access to crypto services and enabling high‑impact compromises. The fraudulent operation has been nicknamed Wagemole.
“Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and Web3 firms, which can accelerate initial access and lateral movement ahead of large‑scale theft,” Chainalysis said.
The stolen funds are then routed through Chinese-language money movement and guarantee services, as well as cross-chain bridges, mixers, and specialized marketplaces like Huione to launder the proceeds. What’s more, the pilfered assets follow a structured, multi-wave laundering pathway that unfolds over approximately 45 days following the hacks –
- Wave 1: Immediate Layering (Days 0-5), which involves immediate distancing of funds from the theft source using DeFi protocols and mixing services
- Wave 2: Initial Integration (Days 6-10), which involves shifting the funds to cryptocurrency exchanges, second-tier mixing services, and cross-chain bridges like XMRt
- Wave 3: Final Integration (Days 20-45), which involves using services that facilitate ultimate conversion to fiat currency or other assets
“Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests that DPRK threat actors are tightly integrated with illicit actors across the Asia-Pacific region, and is consistent with Pyongyang’s historical use of China-based networks to gain access to the international financial system,” the company said.
The disclosure comes as Minh Phuong Ngoc Vong, a 40-year-old Maryland man, has been sentenced to 15 months in prison for his role in the IT worker scheme by allowing North Korean nationals based in Shenyang, China, to use his identity to land jobs at several U.S. government agencies, per the U.S. Department of Justice (DoJ).
Between 2021 and 2024, Vong used fraudulent misrepresentations to obtain employment with at least 13 different U.S. companies, including landing a contract at the Federal Aviation Administration (FAA). In all, Vong was paid more than $970,000 in salary for software development services that were carried out by overseas conspirators.
“Vong conspired with others, including John Doe, aka William James, a foreign national living in Shenyang, China, to defraud U.S. companies into hiring Vong as a remote software developer,” the DoJ said. “After securing these jobs through materially false statements about his education, training, and experience, Vong allowed Doe and others to use his computer access credentials to perform the remote software development work and receive payment for that work.”
The IT worker scheme appears to be undergoing a shift in strategy, with DPRK-linked actors increasingly acting as recruiters to enlist collaborators through platforms like Upwork and Freelancer to further scale the operations.
“These recruiters approach targets with a scripted pitch, requesting ‘collaborators’ to help bid on and deliver projects. They provide step-by-step instructions for account registration, identity verification, and credential sharing,” Security Alliance said in a report published last month.
“In many cases, victims ultimately surrender full access to their freelance accounts or install remote-access tools such as AnyDesk or Chrome Remote Desktop. This enables the threat actor to operate under the victim’s verified identity and IP address, allowing them to bypass platform verification controls and conduct illicit activity undetected.”
