CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

North Korean hackers have stolen approximately $2 billion in cryptocurrency in 2025, the highest annual total recorded. This theft is part of a broader campaign to fund nuclear weapons development. The largest single heist was the Bybit hack in February, which accounted for $1.46 billion. The tactics used by these hackers have evolved to include more sophisticated laundering techniques and a shift towards targeting individuals and exchange employees through social engineering. The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge. The total amount stolen by North Korean hackers since 2017 exceeds $6 billion. Other notable breaches include LND.fi, WOO X, Seedify, and BitoPro. The Lazarus Group stole an estimated $11 million from BitoPro. The actual stolen amount may be higher due to difficulties in attribution and unreported incidents. Recently, five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group.

Timeline

  1. 14.11.2025 22:11 1 articles · 23h ago

    Five Plead Guilty to Aiding North Korean Cryptocurrency Theft

    Five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group. The facilitators used stolen identities to help DPRK agents get hired by American firms, affecting 136 companies and generating over $2.2 million in revenue for the DPRK regime. APT38 has been laundering funds from hacks via cryptocurrency bridges, mixers, exchanges, and OTC traders.

    Show sources
    Open in new tab
  2. 07.10.2025 20:02 4 articles · 1mo ago

    North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

    The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge. Elliptic has attributed more than 33 additional hacks to North Korea so far this year. The actual stolen amount may be higher due to difficulties in attribution and unreported incidents. The 2025 total is almost triple last year’s tally, with most attacks conducted through social engineering. New laundering techniques include multiple mixing rounds, cross-chain transactions, obscure blockchains, and custom tokens. The hackers also exploit 'refund addresses' to redirect assets. Recently, five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

US sanctions North Korean entities and individuals for cybercrime and IT worker fraud

The U.S. Treasury Department has imposed sanctions on ten North Korean individuals and entities involved in laundering $12.7 million in cryptocurrency and IT worker fraud. The sanctions target Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with their respective executives and financial representatives. The move aims to disrupt North Korea's ability to fund its weapons programs and other illicit activities through cybercrime and financial fraud. The Treasury Department has identified $12.7 million in transactions linked to North Korean financial institutions over the past two years. North Korean IT workers have been using foreign freelance programmers to establish business partnerships and split revenue. The Treasury Department has accused North Korea of leveraging its IT army to gain employment at companies by obfuscating their nationality and identities, funneling income back to the DPRK.

Open in new tab

Cryptocurrency fraud network dismantled by European authorities

European law enforcement agencies have dismantled a cryptocurrency fraud network that stole over €600 million from victims across multiple countries. The fraudsters created fake cryptocurrency investment platforms promising high returns and recruited victims through social media, cold calling, and other methods. The stolen funds were laundered using blockchain tools. The coordinated operation took place between October 27 and 29 in Cyprus, Spain, Germany, France, and Belgium, resulting in the seizure of €800,000 in bank accounts, €415,000 in cryptocurrencies, €300,000 in cash, and a set of luxury watches worth €100,000. The investigation started in 2023, and the suspects face six charges, each with between five and 10 years in prison and between €1875 and €1m in fines. Several real estate properties are currently being appraised.

Open in new tab

L3Harris Employee Pleads Guilty to Selling Zero-Day Exploits to Russian Entities

Peter Williams, a former general manager at L3Harris cyber-division Trenchant, pleaded guilty to selling at least eight zero-day exploits to a Russian cyber broker between 2022 and 2025. The exploits, stolen from Trenchant, were sold for $1,300,000 in cryptocurrency and were intended for the exclusive use of the U.S. government and select allies. The broker's clients include the Russian government, posing a significant national security threat. Williams used his privileged access to the company's network to steal the exploits and transmitted them via encrypted channels. The FBI has emphasized the severity of the crime, highlighting the potential impact on US national security. Williams now faces up to 10 years in prison and fines of $250,000 or twice the gain or loss pertinent to the offense. The case underscores the growing concern over the trade in commercial spyware and zero-day exploits, with international efforts underway to curb this activity. Trenchant, the cyber-capabilities business unit within L3Harris Technologies, was conducting its own investigation into the potential leak of Google Chrome zero-day vulnerabilities, with another employee, Jay Gibson, at the epicenter of the accusations.

Open in new tab

Largest Cryptocurrency Seizure in UK: Bitcoin Queen Convicted

The Metropolitan Police secured a conviction in the world's largest cryptocurrency seizure, valued at over £5.5 billion ($7.3 billion). Zhimin Qian, known as the "Bitcoin Queen," pleaded guilty to a multibillion-pound fraudulent Bitcoin scheme that defrauded over 128,000 victims in China between 2014 and 2017. The scheme promised high returns on investments, raising 40 billion yuan from investors. Qian converted the proceeds into Bitcoin and fled to the UK, where she attempted to launder the funds through property purchases. The Met's Economic Crime teams, with international cooperation, seized 61,000 Bitcoin, making it the largest single crypto seizure in history. Qian, also known as Yadi Zhang, was sentenced to 11 years and eight months in prison. The investigation was launched in 2018 after a tip-off about the transfer of criminal assets, and Qian was arrested in April 2024. The scheme primarily targeted victims aged between 50 and 75 years old.

Open in new tab

Interpol-led Operation HAECHI VI Seizes $439 Million in Global Cybercrime Crackdown

Interpol and 40 countries' law enforcement agencies seized $439 million in cash and cryptocurrency during Operation HAECHI VI, a five-month operation targeting cyber-enabled financial crimes. The operation, conducted between April and August 2025, involved a wide range of criminal activities, including voice phishing, investment fraud, e-commerce fraud, online sextortion, business email compromise, romance scams, and money laundering. The operation resulted in the seizure of 400 cryptocurrency wallets, blocking of 68,000 bank accounts, and the arrest of 45 suspects in Portugal. Additionally, Thai police seized $6.6 million transferred by a Japanese corporation into accounts controlled by a transnational organized crime group. This operation is part of a series of global efforts to combat cyber-enabled financial crimes, with previous operations HAECHI V and HAECHI IV also resulting in significant seizures and arrests.

Open in new tab