North Korean cryptocurrency theft campaign using social engineering
Campaign
Summary
Hide ▲
Show ▼
A North Korean cryptocurrency theft campaign stole more than $2 billion in the first nine months of 2025, setting a new annual record and raising the stakes for exchanges and wealthy holders. The operation mainly relied on social engineering rather than crypto-infrastructure vulnerabilities. Stolen funds were then pushed through increasingly complex laundering chains to slow tracing and recovery. The scale of the activity shows how cyber-enabled theft has become a major funding channel for the regime.
Related Happenings
North Korean remote IT worker scam operation targeting American companies
Campaign
First: 16.04.2026 19:00
Last: 16.04.2026 19:00
Sources 1
About this happening:
A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
North Korean remote IT worker scam operation targeting American companies
CampaignAbout this happening: A long-running **North Korean remote IT worker scam operation** used **stolen identities** and fake placements to embed operators inside **more than 100 American companies**. The...
Approval phishing crypto wallet fraud campaign
Campaign
First: 13.04.2026 11:00
Last: 13.04.2026 11:00
Sources 1
About this happening:
**Approval phishing** fraud networks were identified at scale, with **more than 20,000 victims** and at least **$33m** in additional stolen crypto tied to the operation. The fraud...
Approval phishing crypto wallet fraud campaign
CampaignAbout this happening: **Approval phishing** fraud networks were identified at scale, with **more than 20,000 victims** and at least **$33m** in additional stolen crypto tied to the operation. The fraud...
DPRK-linked cryptoasset theft campaign continuing into 2026
Campaign
First: 03.04.2026 11:35
Last: 03.04.2026 11:35
Sources 1
About this happening:
The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
DPRK-linked cryptoasset theft campaign continuing into 2026
CampaignAbout this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
2025 Record surge in illicit cryptocurrency flows and cybercrime-related inflows
Target Trend
First: 30.01.2026 20:49
Last: 30.01.2026 20:49
Sources 1
How related:
North Korean threat actors are estimated to have stolen more than $2 billion in cryptocurrency during the first nine months of 2025, blockchain analysis firm Elliptic says.
About this happening:
**Illegal cryptocurrency flows** surged to a record **$158 billion** in **2025**, reversing a multi-year decline and signaling a broader resurgence in illicit on-chain activity. T...
2025 Record surge in illicit cryptocurrency flows and cybercrime-related inflows
Target TrendHow related: North Korean threat actors are estimated to have stolen more than $2 billion in cryptocurrency during the first nine months of 2025, blockchain analysis firm Elliptic says.
About this happening: **Illegal cryptocurrency flows** surged to a record **$158 billion** in **2025**, reversing a multi-year decline and signaling a broader resurgence in illicit on-chain activity. T...
Chinese money ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 28.01.2026 12:30
Last: 28.01.2026 12:30
Sources 1
About this happening:
**Chinese money laundering networks (CMLNs)** now include **Xinbi**, a Chinese-language marketplace the **UK’s FCDO** sanctioned for selling **stolen data** and **satellite intern...
Chinese money ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Chinese money laundering networks (CMLNs)** now include **Xinbi**, a Chinese-language marketplace the **UK’s FCDO** sanctioned for selling **stolen data** and **satellite intern...
Latest development: 26.03.2026 17:42
The UK’s FCDO sanctioned Xinbi, a Chinese-language online marketplace that sells stolen data and satellite internet equipment to scam networks in Southeast Asia, and also targeted #8 Park and Legend Innovation Co as part of the same action; Xinbi is believed to have helped North Korean threat actors launder cryptocurrency stolen in large heists, and Chainalysis says it processed over $19.9 billion between 2021 and 2025.
Timeline
-
08.10.2025 14:09 3 articles · 7mo ago
North Korean crypto theft campaign exceeds $2 billion in 2025
Campaign Scope UpdateElliptic estimates that North Korean threat actors stole more than $2 billion in cryptocurrency during the first nine months of 2025, with the $1.46 billion Bybit theft driving much of the annual record. Elliptic says the same operators were responsible for at least 33 other crypto heists this year, that most of the activity used social engineering rather than crypto-infrastructure vulnerabilities, and that the stolen assets were laundered through multiple mixing rounds, cross-chain transactions, obscure blockchains, refund-address abuse, and token trading through laundering networks.
Show sources
- North Korean Hackers Have Stolen $2 Billion in Cryptocurrency in 2025 — www.securityweek.com — 08.10.2025 14:09
- North Korean Hackers Have Stolen $2 Billion in Cryptocurrency in 2025 — www.securityweek.com — 08.10.2025 14:09
- North Korea Steals Over $2bn in Crypto in 2025 — www.infosecurity-magazine.com — 18.12.2025 15:00