[Analysis] North Korean Crypto Hacking Losses Surge 51% in 2025... Surpassing $2 Billion Through 'Qualitative Advancement'

Throughout 2025, the volume of virtual assets stolen by North Korea-linked cyber attackers surpassed $2 billion, breaking all-time records. This represents a 51% increase from the previous year, interpreted as a result of 'selection and focus,' where the frequency of attacks decreased while the scale and precision of individual attacks rose dramatically.

According to blockchain analysis firm Chainalysis's '2026 Crypto Crime Report,' the total amount stolen by North Korean hackers in 2025 reached $2.02 billion. This brings the cumulative revenue North Korea has gained from attacking the virtual asset industry since 2016 to approximately $6.75 billion.

This growth is attributed to the 'qualitative advancement' of attacks. While they previously targeted numerous small-to-medium-sized decentralized finance (DeFi) protocols with weak security, they are now precisely targeting centralized exchanges with massive capital.

North Korean hackers have pivoted to a strategy of generating higher returns with fewer attacks. This signifies that their cyber tactics have evolved beyond simple malware distribution into highly trained social engineering techniques.

The Bybit hacking incident in March 2025 is a symbolic example of this strategic shift. North Korea-linked groups stole $1.4 billion through this single attack, accounting for more than half of the total losses in 2025.

Combination of Insider Infiltration and Social Engineering Attacks

North Korea is actively utilizing tactics to place IT personnel in disguised employment to breach the security networks of virtual asset companies. After being hired as developers or technical support staff using forged identities, they act as 'Trojan horses' by securing access to internal systems to facilitate asset theft.

• Distributing malware disguised as fake job advertisements and technical interviews
• Impersonating and approaching senior executives through business social media like LinkedIn
• Seizing internal administrator privileges through disguised IT workers

Stolen funds are processed through a complex money laundering network known as the 'Chinese Laundromat.' To evade tracking by investigative agencies, North Korea collaborates with professional laundering organizations in China to erase the source of assets and exchange them for local currency or other assets.

The use of cross-chain protocols like THORChain is also increasing during the fund transfer process. TRM Labs analyzed that North Korea is utilizing the decentralized nature of THORChain to quickly and reliably move large amounts of funds between different blockchains.

International Surveillance Gaps and Security Threats

As of May 2026, a major hole has appeared in the international surveillance network against North Korean cybercrime as the Panel of Experts supporting the UN Security Council Sanctions Committee on North Korea ceased its activities. Some Security Council member states are concerned that the current multinational surveillance system lacks the authority of the former Panel of Experts.

Stolen virtual assets are used as a key resource for operating North Korea's weapons of mass destruction (WMD) and nuclear programs. According to UN reports, North Korea is identified as using funds secured through cyberattacks to procure hardware and automatic weapons needed for nuclear enrichment facilities.

As the virtual asset market becomes integrated into the institutional system, attacks by state-sponsored hackers are expected to become even more sophisticated. Centralized exchanges and related companies must fundamentally re-examine their defense capabilities by strengthening verification procedures for internal personnel and introducing real-time on-chain monitoring systems.