CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

North Korean hackers have stolen approximately $2.02 billion in cryptocurrency in 2025, the highest annual total recorded. This theft is part of a broader campaign to fund nuclear weapons development. The largest single heist was the Bybit hack in February, which accounted for $1.5 billion. The tactics used by these hackers have evolved to include more sophisticated laundering techniques and a shift towards targeting individuals and exchange employees through social engineering. The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge. The total amount stolen by North Korean hackers since 2017 exceeds $6.75 billion. Other notable breaches include LND.fi, WOO X, Seedify, and BitoPro. The Lazarus Group stole an estimated $11 million from BitoPro. The actual stolen amount may be higher due to difficulties in attribution and unreported incidents. Recently, five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group.

Timeline

  1. 18.12.2025 03:00 1 articles · 23h ago

    Lazarus Group Steals $36 Million from Upbit in November 2025

    The Lazarus Group, affiliated with Pyongyang's Reconnaissance General Bureau (RGB), is responsible for the theft of $36 million worth of cryptocurrency from South Korea's largest cryptocurrency exchange, Upbit, in November 2025. The Lazarus Group has siphoned at least $200 million from over 25 cryptocurrency heists between 2020 and 2023.

    Show sources
    Open in new tab
  2. 14.11.2025 22:11 2 articles · 1mo ago

    Five Plead Guilty to Aiding North Korean Cryptocurrency Theft

    Five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group. The facilitators used stolen identities to help DPRK agents get hired by American firms, affecting 136 companies and generating over $2.2 million in revenue for the DPRK regime. APT38 has been laundering funds from hacks via cryptocurrency bridges, mixers, exchanges, and OTC traders. Minh Phuong Ngoc Vong, a Maryland man, was sentenced to 15 months in prison for his role in the IT worker scheme.

    Show sources
    Open in new tab
  3. 07.10.2025 20:02 5 articles · 2mo ago

    North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

    The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge. Elliptic has attributed more than 33 additional hacks to North Korea so far this year. The actual stolen amount may be higher due to difficulties in attribution and unreported incidents. The 2025 total is almost triple last year’s tally, with most attacks conducted through social engineering. New laundering techniques include multiple mixing rounds, cross-chain transactions, obscure blockchains, and custom tokens. The hackers also exploit 'refund addresses' to redirect assets. Recently, five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group. The total amount stolen by North Korean hackers since 2017 exceeds $6.75 billion. The Bybit hack in February 2025 resulted in the theft of $1.5 billion.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increasing Threat of Insider Cyber Threats Through Fake Worker Schemes

Cybercriminals are increasingly impersonating cybersecurity and IT professionals to gain privileged access within organizations. These threat actors manipulate the hiring process, creating elaborate fake personas with fabricated resumes, convincing online presences, and sophisticated deepfake technology to secure legitimate positions. Their primary goals include data theft, cyber espionage, and financial fraud, with significant consequences for organizations, including reputational damage, financial penalties, and legal repercussions. The rise of remote work has exacerbated this vulnerability, making it harder to verify identities and detect impersonations. Recent incidents, such as North Korean IT worker schemes and deepfake job interview incidents, highlight the real-world impact of these threats. Organizations must implement robust HR practices, advanced technical controls, and continuous security awareness training to mitigate these risks.

Open in new tab

Europol Disrupts $55m in Cryptocurrency Linked to Online Piracy

A coordinated operation led by Europol, the European Union Intellectual Property Office, and Spain’s National Police targeted online intellectual property violations. The operation identified 69 sites, traced $55m in cryptocurrency flows, and disrupted 25 illicit IPTV services by collaborating with crypto service providers. The initiative also emphasized the growing use of cryptocurrency by criminals and the importance of international cooperation in combating digital piracy.

Open in new tab

US sanctions North Korean entities and individuals for cybercrime and IT worker fraud

The U.S. Treasury Department has imposed sanctions on ten North Korean individuals and entities involved in laundering $12.7 million in cryptocurrency and IT worker fraud. The sanctions target Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with their respective executives and financial representatives. The move aims to disrupt North Korea's ability to fund its weapons programs and other illicit activities through cybercrime and financial fraud. The Treasury Department has identified $12.7 million in transactions linked to North Korean financial institutions over the past two years. North Korean IT workers have been using foreign freelance programmers to establish business partnerships and split revenue. The Treasury Department has accused North Korea of leveraging its IT army to gain employment at companies by obfuscating their nationality and identities, funneling income back to the DPRK.

Open in new tab

Cryptocurrency fraud network dismantled by European authorities

European law enforcement agencies have dismantled a cryptocurrency fraud network that stole over €600 million from victims across multiple countries. The fraudsters created fake cryptocurrency investment platforms promising high returns and recruited victims through social media, cold calling, and other methods. The stolen funds were laundered using blockchain tools. The coordinated operation took place between October 27 and 29 in Cyprus, Spain, Germany, France, and Belgium, resulting in the seizure of €800,000 in bank accounts, €415,000 in cryptocurrencies, €300,000 in cash, and a set of luxury watches worth €100,000. The investigation started in 2023, and the suspects face six charges, each with between five and 10 years in prison and between €1875 and €1m in fines. Several real estate properties are currently being appraised.

Open in new tab

L3Harris Employee Pleads Guilty to Selling Zero-Day Exploits to Russian Entities

Peter Williams, a former general manager at L3Harris cyber-division Trenchant, pleaded guilty to selling at least eight zero-day exploits to a Russian cyber broker between 2022 and 2025. The exploits, stolen from Trenchant, were sold for $1,300,000 in cryptocurrency and were intended for the exclusive use of the U.S. government and select allies. The broker's clients include the Russian government, posing a significant national security threat. Williams used his privileged access to the company's network to steal the exploits and transmitted them via encrypted channels. The FBI has emphasized the severity of the crime, highlighting the potential impact on US national security. Williams now faces up to 10 years in prison and fines of $250,000 or twice the gain or loss pertinent to the offense. The case underscores the growing concern over the trade in commercial spyware and zero-day exploits, with international efforts underway to curb this activity. Trenchant, the cyber-capabilities business unit within L3Harris Technologies, was conducting its own investigation into the potential leak of Google Chrome zero-day vulnerabilities, with another employee, Jay Gibson, at the epicenter of the accusations.

Open in new tab