Between 2017 and 2025, North Korean hackers stole over $3 billion in cryptocurrency - more than any other nation or criminal group in history. This isn’t random hacking. It’s a state-run operation, carefully planned, highly coordinated, and directly tied to funding weapons programs that violate international sanctions. The numbers alone are staggering: $1.5 billion stolen in a single attack on Bybit in February 2025. That’s more than all the crypto thefts in 2024 combined.
How Did They Do It?
North Korean hackers didn’t break into systems with brute force. They didn’t need to. They used people. Take the DMM hack in May 2024. Attackers started by posing as recruiters on LinkedIn. They reached out to employees at Ginco, a Japanese company that builds wallet software for crypto platforms. One victim downloaded what looked like a simple Python script - a "pre-employment test." It wasn’t. It was malware. Once installed, it gave the hackers access to session cookies, which let them log in as the employee. No passwords cracked. No firewalls breached. Just a trusted name on LinkedIn and a fake file. From there, they waited. Months passed. They watched how the company operated. They studied how employees requested transactions. Then, in May, they manipulated a real transaction. A DMM employee asked to move funds. The hackers intercepted it, changed the destination address, and sent $308 million in Bitcoin straight to their wallets. The employee never noticed. The system approved it. The money was gone. This pattern repeats. In 2023, the same group hit Atomic Wallet, Alphapo, and CoinsPaid - all within days. Each time, they used social engineering to get inside. Then they moved slowly. Patiently. Like surgeons.The $1.5 Billion Bybit Heist
The February 2025 attack on Bybit changed everything. Hackers stole nearly $1.5 billion in Ether - the largest single crypto theft ever recorded. Chainalysis, the leading blockchain intelligence firm, confirmed it was linked to North Korea’s Lazarus group. How? Because of the laundering pattern. After stealing the Ether, the hackers didn’t just cash out. They spread it across dozens of decentralized exchanges. They used cross-chain bridges to convert Ether into Bitcoin, Litecoin, and Monero. Then they mixed it through hundreds of wallets, each holding just a few thousand dollars. No single wallet looked suspicious. No transaction stood out. It took weeks for analysts to trace the trail - and even then, only because the hackers reused one old wallet address from a 2021 attack. This isn’t luck. It’s strategy. North Korea has built a full-time cyber unit that treats crypto theft like a military campaign. They have analysts, engineers, social engineers, and launderers. They train for years. They test tools on small targets before going after giants.Why North Korea? Why Crypto?
Sanctions have choked North Korea’s economy. Oil imports? Cut. Luxury goods? Blocked. Traditional banking? Impossible. But crypto? Crypto doesn’t care about borders. It doesn’t need a bank. It runs on code - and code can be hacked. Between 2017 and 2024, North Korea stole $3 billion. In 2024 alone, they stole $1.34 billion - over 60% of all crypto theft worldwide. That’s not coincidence. That’s a policy. The U.S. Treasury and UN Security Council both confirm the stolen funds are used to buy materials for nuclear weapons and missile programs. A single $100 million heist can fund a year’s worth of uranium enrichment. And it’s working. While the world focuses on sanctions, North Korea is quietly building its arsenal with stolen Bitcoin.
Who’s Targeted? And Why?
North Korean hackers don’t go after random exchanges. They pick specific targets:- Wallet providers like Ginco - because they hold keys for multiple clients.
- Centralized exchanges like Bybit - because they store huge amounts of crypto.
- Small teams - because they have weak security and fewer checks.
What’s Being Done?
The FBI, Japan’s National Police, and Europol are tracking these hackers. They’ve named names: Lazarus, TraderTraitor, Jade Sleet. They’ve released technical details - IP addresses, malware signatures, wallet patterns. Exchanges are responding. Many now require:- Multi-signature withdrawals (requiring 3+ approvals)
- Behavioral monitoring (flagging unusual transaction patterns)
- Employee training with phishing simulations
- Real-time blockchain alerts
What This Means for You
If you use crypto, this isn’t just "them" - it’s "us." Every theft erodes trust. Every hack makes insurance costs rise. Every stolen dollar makes it harder for honest users to move money. Platforms are raising fees. Regulators are tightening rules. Some exchanges now refuse to list new tokens because they fear being targeted. Users are losing confidence. And the cycle continues. The real danger isn’t just the money stolen. It’s what that money buys: missiles, warheads, and the threat of escalation.Can It Be Stopped?
Yes - but not with technology alone. You can’t hack your way out of a social engineering attack. You can’t code your way out of a human mistake. The only real defense is culture: rigorous training, strict access controls, and a mindset that assumes every email, every link, every job offer could be a trap. Governments need to act too. Sanctions alone won’t work. But if the world froze every crypto wallet linked to known North Korean addresses - if every exchange was forced to block them - it could cut off their supply line. Right now, they’re winning. Not because they’re unstoppable. But because we’re still treating this like a crime problem - not a national security crisis.How much crypto has North Korea stolen in total?
Between 2017 and 2025, North Korean hackers stole at least $4.5 billion in cryptocurrency. This includes $3 billion from 2017 to 2024, plus the $1.5 billion Bybit hack in February 2025. The majority of these thefts were carried out by the Lazarus Group and its offshoots.
Which groups are behind these hacks?
The primary group is Lazarus, a state-sponsored hacking unit linked to North Korea’s Reconnaissance General Bureau. Other subgroups include TraderTraitor, Jade Sleet, UNC4899, and Slow Pisces. Each has specialized roles - some focus on social engineering, others on blockchain laundering or malware development.
How do North Korean hackers avoid getting caught?
They use layered laundering techniques: mixing stolen funds across dozens of decentralized exchanges, converting between cryptocurrencies, and moving through privacy coins like Monero. They also reuse old wallet addresses, exploit vulnerabilities in cross-chain bridges, and time attacks to coincide with low-visibility periods like holidays or geopolitical distractions.
Why target small companies like Ginco instead of big exchanges?
Small companies often have weaker security, fewer staff, and less oversight. Ginco didn’t have a dedicated security team. Their employees used personal devices. Their internal communications weren’t encrypted. Hackers knew this. By compromising one employee, they gained access to the keys controlling millions in assets across multiple platforms.
Has any country successfully punished North Korea for these thefts?
No direct punishment has occurred. While the U.S. and South Korea have sanctioned individuals linked to Lazarus, and the UN has condemned the activity, there have been no arrests, no asset seizures, and no military response. The hackers operate from within North Korea - a country that doesn’t recognize international law in this area.
Ruby Ababio-Fernandez
February 16, 2026 AT 07:27