How North Korea Stole $3 Billion in Crypto and Why It’s Still Happening

A single attack in February 2025 stole $1.5 billion in Ether from Bybit - more than the total stolen in all 47 cryptocurrency heists of 2024 combined. This wasn’t some random hacker group. It was North Korea.

Between 2017 and 2023, North Korean state-backed hackers stole around $3 billion in cryptocurrency. By 2024, that number jumped to $1.34 billion in just one year. And then came February 2025. The Bybit breach wasn’t an anomaly - it was the new normal. These aren’t random crimes. They’re calculated, state-funded operations designed to bypass sanctions and fund weapons programs. The world is watching, but the thefts keep growing.

How They Do It: From LinkedIn to Million-Dollar Heists

North Korean hackers don’t break into servers with brute force. They walk right in - through LinkedIn.

In the DMM hack of May 2024, attackers posed as recruiters. They reached out to employees at Ginco, a Japanese company that manages crypto wallets for other platforms. The pitch? A simple Python coding test for a job. The file? A malicious script disguised as a pre-employment challenge. Once opened, it gave them access to internal systems. Not by hacking the network - by tricking a person.

That’s the pattern. They target people, not systems. They study job titles, company structures, and communication flows. They wait months. In the DMM case, they compromised the employee in late March, then sat quietly until mid-May. By then, they had full access to internal chats and transaction systems. They didn’t steal coins directly. They manipulated a real transaction request - changing the destination address on a legitimate transfer. The company’s own system approved it. $308 million gone.

This isn’t one-off. The same tactic took $100 million from Atomic Wallet, $60 million from Alphapo, and $37 million from CoinsPaid in June 2023. All through social engineering. All through trusted employees. All through patience.

The $1.5 Billion Bybit Heist: A New Level of Scale

Before February 2025, the biggest crypto theft was $600 million. Then came Bybit.

North Korean hackers stole nearly $1.5 billion in Ether - the largest single theft in history. Chainalysis confirmed it. The FBI confirmed it. The method? Even more refined than before. They didn’t just steal. They laundered instantly. Using decentralized exchanges and cross-chain bridges, they split the Ether into smaller chunks, converted portions into Bitcoin, and scattered it across hundreds of wallets. Each transfer added a layer of obscurity. By the time investigators traced one path, the money had vanished into five others.

This wasn’t just a heist. It was a financial maneuver. The goal wasn’t just to steal - it was to make the money untraceable. And they succeeded. Even with advanced blockchain analysis tools, tracking the full flow of funds remains nearly impossible.

Why North Korea? Sanctions, Weapons, and Crypto

North Korea doesn’t have oil exports. It doesn’t have global trade. Sanctions have choked its economy. But it still needs to fund its nuclear program. And crypto? It’s the perfect workaround.

Unlike banks or wire transfers, cryptocurrency moves without oversight. No central authority. No government regulator. No paper trail. A single transaction can move millions across borders in minutes. North Korea realized this early. They built a full cyberwarfare unit dedicated to crypto theft - not for profit, but for survival.

According to UN assessments, every dollar stolen since 2017 has gone to weapons development. Missile fuel. Uranium enrichment. Testing facilities. The money doesn’t sit in bank accounts. It’s spent on materials, engineers, and equipment - all hidden behind layers of shell companies and black-market trades. The hackers aren’t criminals. They’re soldiers.

Who’s Behind It? The Groups You Need to Know

It’s not one team. It’s five, working in sync.

• Lazarus Group: The oldest and most notorious. Responsible for early attacks, including the 2018 $100 million hack of Bithumb.
• TraderTraitor: Focused on wallet providers. Hit Atomic Wallet, Alphapo, and CoinsPaid in 2023.
• Jade Sleet: Specializes in social engineering. Used the LinkedIn tactic in the DMM case.
• UNC4899: Targets exchanges with weak KYC controls. Active since 2022.
• Slow Pisces: Masters of laundering. Handles the post-theft cleanup - the money trail cleanup.

Each group has a role. One finds the entry point. One infiltrates. One moves the money. One covers the tracks. They operate like a military unit - no wasted effort. No overlap. Just precision.

The Bigger Picture: Crypto Is Now a National Security Issue

This isn’t just about lost coins. It’s about global stability.

In 2024, North Korean groups stole 61% of all cryptocurrency taken worldwide - even though they carried out only 20% of the attacks. That means they’re not just stealing more - they’re stealing smarter. They hit the biggest targets. They avoid small exchanges. They wait for the right moment. They exploit gaps in security that others overlook.

Exchanges now face higher insurance costs. Regulators are demanding multi-signature wallets. Some platforms have stopped supporting certain tokens entirely. Users are losing trust. And yet, the attacks keep succeeding.

The U.S. Department of Defense, Japan’s National Police Agency, and the FBI have formed joint task forces. They’ve published detailed reports. They’ve named names. They’ve released technical indicators - IP addresses, malware signatures, wallet patterns. But North Korea doesn’t care. They keep changing tactics. They keep adapting.

What’s Next? The Arms Race in Crypto Security

The crypto world is playing catch-up. But the hackers are always ahead.

Some exchanges now require employees to use hardware keys for every transaction. Others have banned remote access entirely. A few are using AI to flag suspicious behavior - like a user logging in from a new device after hours. But none of it is foolproof.

The real problem? Human error. No amount of encryption can stop someone who clicks a fake job link. No firewall can block a trusted employee who’s been manipulated for months.

Experts warn the next phase will involve AI-powered phishing. Imagine a fake LinkedIn message that perfectly mimics your boss’s tone, your company’s style, even your internal jargon. It’s already being tested. And when it launches, the next $1 billion heist could happen before anyone notices.

The $3 billion stolen so far is just the beginning. With sanctions tightening and traditional revenue streams drying up, North Korea has only one path left: crypto. And they’re not stopping.

What You Can Do - Even If You’re Not an Exchange

You might think this doesn’t affect you. But it does.

• If you use crypto: Double-check every transaction. Never send funds to a new address without verifying it twice.
• If you work at a company that handles crypto: Demand mandatory training on social engineering. Ask if your team uses hardware keys. Push for multi-signature controls.
• If you’re a developer: Never share code publicly without scanning for hidden backdoors. Malicious scripts can hide in plain sight.

The biggest defense isn’t technology. It’s awareness. The hackers don’t need to break in. They just need you to let them in.