How North Korea Stole $3 Billion in Crypto and Why It Matters

How North Korea Stole $3 Billion in Crypto and Why It Matters Feb, 16 2026

Between 2017 and 2025, North Korean hackers stole over $3 billion in cryptocurrency - more than any other nation or criminal group in history. This isn’t random hacking. It’s a state-run operation, carefully planned, highly coordinated, and directly tied to funding weapons programs that violate international sanctions. The numbers alone are staggering: $1.5 billion stolen in a single attack on Bybit in February 2025. That’s more than all the crypto thefts in 2024 combined.

How Did They Do It?

North Korean hackers didn’t break into systems with brute force. They didn’t need to. They used people.

Take the DMM hack in May 2024. Attackers started by posing as recruiters on LinkedIn. They reached out to employees at Ginco, a Japanese company that builds wallet software for crypto platforms. One victim downloaded what looked like a simple Python script - a "pre-employment test." It wasn’t. It was malware. Once installed, it gave the hackers access to session cookies, which let them log in as the employee. No passwords cracked. No firewalls breached. Just a trusted name on LinkedIn and a fake file.

From there, they waited. Months passed. They watched how the company operated. They studied how employees requested transactions. Then, in May, they manipulated a real transaction. A DMM employee asked to move funds. The hackers intercepted it, changed the destination address, and sent $308 million in Bitcoin straight to their wallets. The employee never noticed. The system approved it. The money was gone.

This pattern repeats. In 2023, the same group hit Atomic Wallet, Alphapo, and CoinsPaid - all within days. Each time, they used social engineering to get inside. Then they moved slowly. Patiently. Like surgeons.

The $1.5 Billion Bybit Heist

The February 2025 attack on Bybit changed everything. Hackers stole nearly $1.5 billion in Ether - the largest single crypto theft ever recorded. Chainalysis, the leading blockchain intelligence firm, confirmed it was linked to North Korea’s Lazarus group. How? Because of the laundering pattern.

After stealing the Ether, the hackers didn’t just cash out. They spread it across dozens of decentralized exchanges. They used cross-chain bridges to convert Ether into Bitcoin, Litecoin, and Monero. Then they mixed it through hundreds of wallets, each holding just a few thousand dollars. No single wallet looked suspicious. No transaction stood out. It took weeks for analysts to trace the trail - and even then, only because the hackers reused one old wallet address from a 2021 attack.

This isn’t luck. It’s strategy. North Korea has built a full-time cyber unit that treats crypto theft like a military campaign. They have analysts, engineers, social engineers, and launderers. They train for years. They test tools on small targets before going after giants.

Why North Korea? Why Crypto?

Sanctions have choked North Korea’s economy. Oil imports? Cut. Luxury goods? Blocked. Traditional banking? Impossible. But crypto? Crypto doesn’t care about borders. It doesn’t need a bank. It runs on code - and code can be hacked.

Between 2017 and 2024, North Korea stole $3 billion. In 2024 alone, they stole $1.34 billion - over 60% of all crypto theft worldwide. That’s not coincidence. That’s a policy. The U.S. Treasury and UN Security Council both confirm the stolen funds are used to buy materials for nuclear weapons and missile programs. A single $100 million heist can fund a year’s worth of uranium enrichment.

And it’s working. While the world focuses on sanctions, North Korea is quietly building its arsenal with stolen Bitcoin.

A worker in a Tokyo office unknowingly triggers a hacker's attack through a fake job script, with digital traces of stolen funds.

Who’s Targeted? And Why?

North Korean hackers don’t go after random exchanges. They pick specific targets:

  • Wallet providers like Ginco - because they hold keys for multiple clients.
  • Centralized exchanges like Bybit - because they store huge amounts of crypto.
  • Small teams - because they have weak security and fewer checks.
They avoid exchanges with multi-signature wallets. They avoid platforms with real-time blockchain monitoring. They look for companies that still use single passwords, don’t verify employee identities, or allow remote access without 2FA.

In 2024, 84% of all crypto thefts happened between January and July. Why? Because North Korea’s leadership likely adjusts operations based on global politics. When tensions rise, they pull back. When attention shifts, they strike.

What’s Being Done?

The FBI, Japan’s National Police, and Europol are tracking these hackers. They’ve named names: Lazarus, TraderTraitor, Jade Sleet. They’ve released technical details - IP addresses, malware signatures, wallet patterns.

Exchanges are responding. Many now require:

  • Multi-signature withdrawals (requiring 3+ approvals)
  • Behavioral monitoring (flagging unusual transaction patterns)
  • Employee training with phishing simulations
  • Real-time blockchain alerts
But it’s not enough. The hackers adapt faster. They learn from each failure. They test new methods on smaller targets before hitting big ones. And they’re getting smarter at laundering money - using DeFi protocols, privacy coins, and NFT marketplaces to hide tracks.

A dystopian blockchain network feeds stolen crypto into nuclear weapons, with the Lazarus Group symbol dominating the skyline.

What This Means for You

If you use crypto, this isn’t just "them" - it’s "us." Every theft erodes trust. Every hack makes insurance costs rise. Every stolen dollar makes it harder for honest users to move money.

Platforms are raising fees. Regulators are tightening rules. Some exchanges now refuse to list new tokens because they fear being targeted. Users are losing confidence. And the cycle continues.

The real danger isn’t just the money stolen. It’s what that money buys: missiles, warheads, and the threat of escalation.

Can It Be Stopped?

Yes - but not with technology alone.

You can’t hack your way out of a social engineering attack. You can’t code your way out of a human mistake. The only real defense is culture: rigorous training, strict access controls, and a mindset that assumes every email, every link, every job offer could be a trap.

Governments need to act too. Sanctions alone won’t work. But if the world froze every crypto wallet linked to known North Korean addresses - if every exchange was forced to block them - it could cut off their supply line.

Right now, they’re winning. Not because they’re unstoppable. But because we’re still treating this like a crime problem - not a national security crisis.

How much crypto has North Korea stolen in total?

Between 2017 and 2025, North Korean hackers stole at least $4.5 billion in cryptocurrency. This includes $3 billion from 2017 to 2024, plus the $1.5 billion Bybit hack in February 2025. The majority of these thefts were carried out by the Lazarus Group and its offshoots.

Which groups are behind these hacks?

The primary group is Lazarus, a state-sponsored hacking unit linked to North Korea’s Reconnaissance General Bureau. Other subgroups include TraderTraitor, Jade Sleet, UNC4899, and Slow Pisces. Each has specialized roles - some focus on social engineering, others on blockchain laundering or malware development.

How do North Korean hackers avoid getting caught?

They use layered laundering techniques: mixing stolen funds across dozens of decentralized exchanges, converting between cryptocurrencies, and moving through privacy coins like Monero. They also reuse old wallet addresses, exploit vulnerabilities in cross-chain bridges, and time attacks to coincide with low-visibility periods like holidays or geopolitical distractions.

Why target small companies like Ginco instead of big exchanges?

Small companies often have weaker security, fewer staff, and less oversight. Ginco didn’t have a dedicated security team. Their employees used personal devices. Their internal communications weren’t encrypted. Hackers knew this. By compromising one employee, they gained access to the keys controlling millions in assets across multiple platforms.

Has any country successfully punished North Korea for these thefts?

No direct punishment has occurred. While the U.S. and South Korea have sanctioned individuals linked to Lazarus, and the UN has condemned the activity, there have been no arrests, no asset seizures, and no military response. The hackers operate from within North Korea - a country that doesn’t recognize international law in this area.

Tags:

13 Comments

  • Image placeholder

    Ruby Ababio-Fernandez

    February 16, 2026 AT 07:27
    This is why we need to nuke their servers. Not talk. Not sanction. Nuke.
  • Image placeholder

    Alex Williams

    February 18, 2026 AT 01:30
    The real issue isn't the tech - it's the human layer. Most exchanges still rely on email-based 2FA and unverified HR processes. Lazarus doesn't brute force - they *onboard*. They're hiring interns through fake startups. One guy in Tokyo got a "remote dev role" with a 30-day probation. Turned out his "Python test" was a keylogger that harvested session tokens from his corporate laptop. We're not fighting hackers. We're fighting a state-sponsored HR department.
  • Image placeholder

    Andrew Edmark

    February 18, 2026 AT 13:40
    I'm just imagining the poor guy at Ginco who downloaded that script 😔 He probably thought he was getting a shot at a cool crypto job. Now he's got nightmares. We need better awareness - not just for devs, but for recruiters, HR, everyone. Maybe companies should run mandatory phishing drills like airlines do with safety briefings. 🙏
  • Image placeholder

    Ian Plunkett

    February 19, 2026 AT 21:45
    LMAO they stole $3B and you're all acting like it's a crypto blog post. This isn't theft - it's WAR. And we're still using Excel spreadsheets to track wallets while they're deploying AI-driven laundering bots that auto-rotate through 12,000 wallets/hour. The FBI? They're still asking for warrants. Meanwhile, Pyongyang's nuke program is running on Ether. đŸ€Ą
  • Image placeholder

    Charrie VanVleet

    February 21, 2026 AT 16:09
    Honestly? This is why I stopped trusting centralized exchanges. I moved everything to hardware wallets + multisig. It's a pain, yeah - but I'd rather wait 3 days to send $100 than lose $100,000 to some LinkedIn recruiter. You think this is bad now? Wait till they start targeting DeFi governance votes. Next thing you know, your DAO is hacked because someone clicked "verify your identity" in a DM. Stay sharp, folks đŸ’Ș
  • Image placeholder

    Scott McCrossan

    February 22, 2026 AT 10:41
    Wow $3 billion stolen and you're all acting like this is some new thing? Bro, this has been happening since 2017. The real story is that nobody in crypto gives a damn. You all scream about FTX but ignore the fact that North Korea is literally funding missiles with your Dogecoin. And you wonder why regulators are coming after you? Because you let this happen. Pathetic.
  • Image placeholder

    Beth Erickson

    February 22, 2026 AT 17:32
    So let me get this straight - we're spending billions on defense but can't stop a bunch of hackers from sending a fake job offer? This is why America's falling apart. No discipline. No accountability. Just vibes and "educate people". Meanwhile North Korea's building ICBMs with Bitcoin. Fix the system or shut up
  • Image placeholder

    Jeremy Fisher

    February 23, 2026 AT 04:15
    You know what's wild? The same people who think blockchain is the future of finance are the ones who still use the same password for their email, their crypto wallet, and their LinkedIn. It's not a tech problem - it's a cultural one. We treat security like a checkbox, not a mindset. And we wonder why the bad guys win. It's like leaving your house unlocked because you "trust the neighborhood". Except the neighborhood is Pyongyang. And they've been practicing for 15 years. We're still learning how to turn on 2FA.
  • Image placeholder

    Sasha Wynnters

    February 24, 2026 AT 09:43
    Crypto theft isn't crime. It's poetry. A symphony of entropy. A ballet of entropy danced by ghosts in machine code. The Lazarus Group didn't steal money - they stole *trust*. They turned human curiosity into a vulnerability. Every click, every download, every hopeful resume submission - it was a note in their composition. The $1.5B heist? Not a number. A crescendo. And we're still listening to the first violin. We don't need more firewalls. We need to stop believing in innocence.
  • Image placeholder

    Rajib Hossaim

    February 24, 2026 AT 15:27
    I come from a country where cyber warfare is taught in schools as part of national defense. What North Korea is doing is not anomalous - it is strategic. The world must stop treating this as a financial crime. It is a military operation. We need coordinated global response - not just sanctions, but cyber deterrence. And yes, that means offensive capabilities too. Peace through strength, not just through spreadsheets.
  • Image placeholder

    Jenn Estes

    February 26, 2026 AT 00:05
    I can't believe people are still surprised by this. You let people work remotely with no background checks, no device management, no training - and then act shocked when a hacker walks in through LinkedIn? This isn't a hack. It's negligence dressed up as innovation.
  • Image placeholder

    Anandaraj Br

    February 27, 2026 AT 22:13
    Bro why are we even talking about this like its news? Its 2025 and we still dont have a single crypto security standard. Every exchange is a casino with no bouncers. And the devs? Theyre too busy posting memes on X to fix the 2FA that says "we sent a code" but never checks if the phone number is real. North Korea is just the first to exploit the fact that we are all lazy as hell
  • Image placeholder

    AJITH AERO

    February 28, 2026 AT 23:36
    Lmao so North Korea stole 3 billion and now everyone's acting like they're the first to use social engineering? Bro I got a phishing email last week that said "your crypto account will be suspended unless you click this link". It was from "[email protected]". I replied with "cool bro here's my seed phrase" and waited for the refund. We're all just playing along. The real hack is believing this system works.

Write a comment