North Korean hackers have stolen over $2bn in 2025, primarily targeting wealthy cryptocurrency holders. Groups like Lazarus focus on exchanges and high-value individuals, funding the regime’s nuclear and missile programs. The cumulative known cryptocurrency thefts now exceed $6bn, surpassing previous records. Analysts warn actual figures could be higher, and the regime also uses fake IT programs to bypass sanctions.
North Korean hackers have increasingly targeted wealthy cryptocurrency holders, reportedly stealing more than $2 billion (£1.49bn) so far in 2025, according to researchers.This marks a record for hackers linked to the regime, who now generate an amount equivalent to approximately 13% of North Korea’s gross domestic product (GDP), based on United Nations estimates.
For the past several years, hacking groups such as Lazarus Group have concentrated on attacking cryptocurrency exchanges to steal large amounts of digital tokens.However, investigators at research firm Elliptic warn that individual crypto holders with substantial wealth have become more appealing targets, as they often lack the same level of security measures used by businesses.
Western security officials say that stolen funds are used to support North Korea’s nuclear weapons and missile programs.
Dr. Tom Robinson, chief scientist at Elliptic, notes that attacks on individuals, which are less likely to be reported publicly, mean the true scale of North Korea’s cyber thefts could be even higher.
“Other thefts probably go unreported, and attributing cybercrime to North Korea is not an exact science,” he said. “We know of other attacks that show North Korean characteristics but lack sufficient evidence to confirm attribution.”
The North Korean embassy in the UK was contacted for comment but did not respond. In past instances, the regime has denied involvement in cyberattacks.Elliptic and other companies, such as Chainalysis, can trace stolen funds in cryptocurrencies like Bitcoin and Ethereum by following public blockchain transaction records.Over time, researchers have identified consistent patterns in the tools and methods preferred by North Korean hackers.
Elliptic estimates that the thefts in 2025 alone bring the cumulative known value of cryptocurrency stolen by North Korea to more than $6 billion.Although North Korea does not release official GDP figures, the UN estimated the country’s 2024 GDP at $15.17 billion.The largest hack attributed to North Korea this year occurred in February, when $1.4 billion was stolen from the cryptocurrency exchange ByBit.In addition to the ByBit attack, Elliptic analysts have linked over 30 other incidents to North Korea so far in 2025.Other notable thefts include $14 million stolen from 9 users on WOO X in July, and $1.2 million stolen from Seedify.
Elliptic has also worked privately with victims of other hacks that cost unnamed organizations and individuals tens or even hundreds of millions of dollars.The largest cryptocurrency theft from a single individual this year totals $100 million.
The scale of 2025’s activity surpasses North Korea’s previous record in 2022, when it is accused of stealing $1.35 billion in cryptocurrency.Alongside its highly active cybercrime units, the regime is increasingly alleged to operate a fake IT worker program, generating additional revenue and bypassing international sanctions.