How North Korea Stole $3 Billion in Crypto and Why It’s Still Happening

How North Korea Stole $3 Billion in Crypto and Why It’s Still Happening
Ben Bevan 27 February 2026 16 Comments

A single attack in February 2025 stole $1.5 billion in Ether from Bybit - more than the total stolen in all 47 cryptocurrency heists of 2024 combined. This wasn’t some random hacker group. It was North Korea.

Between 2017 and 2023, North Korean state-backed hackers stole around $3 billion in cryptocurrency. By 2024, that number jumped to $1.34 billion in just one year. And then came February 2025. The Bybit breach wasn’t an anomaly - it was the new normal. These aren’t random crimes. They’re calculated, state-funded operations designed to bypass sanctions and fund weapons programs. The world is watching, but the thefts keep growing.

How They Do It: From LinkedIn to Million-Dollar Heists

North Korean hackers don’t break into servers with brute force. They walk right in - through LinkedIn.

In the DMM hack of May 2024, attackers posed as recruiters. They reached out to employees at Ginco, a Japanese company that manages crypto wallets for other platforms. The pitch? A simple Python coding test for a job. The file? A malicious script disguised as a pre-employment challenge. Once opened, it gave them access to internal systems. Not by hacking the network - by tricking a person.

That’s the pattern. They target people, not systems. They study job titles, company structures, and communication flows. They wait months. In the DMM case, they compromised the employee in late March, then sat quietly until mid-May. By then, they had full access to internal chats and transaction systems. They didn’t steal coins directly. They manipulated a real transaction request - changing the destination address on a legitimate transfer. The company’s own system approved it. $308 million gone.

This isn’t one-off. The same tactic took $100 million from Atomic Wallet, $60 million from Alphapo, and $37 million from CoinsPaid in June 2023. All through social engineering. All through trusted employees. All through patience.

The $1.5 Billion Bybit Heist: A New Level of Scale

Before February 2025, the biggest crypto theft was $600 million. Then came Bybit.

North Korean hackers stole nearly $1.5 billion in Ether - the largest single theft in history. Chainalysis confirmed it. The FBI confirmed it. The method? Even more refined than before. They didn’t just steal. They laundered instantly. Using decentralized exchanges and cross-chain bridges, they split the Ether into smaller chunks, converted portions into Bitcoin, and scattered it across hundreds of wallets. Each transfer added a layer of obscurity. By the time investigators traced one path, the money had vanished into five others.

This wasn’t just a heist. It was a financial maneuver. The goal wasn’t just to steal - it was to make the money untraceable. And they succeeded. Even with advanced blockchain analysis tools, tracking the full flow of funds remains nearly impossible.

Why North Korea? Sanctions, Weapons, and Crypto

North Korea doesn’t have oil exports. It doesn’t have global trade. Sanctions have choked its economy. But it still needs to fund its nuclear program. And crypto? It’s the perfect workaround.

Unlike banks or wire transfers, cryptocurrency moves without oversight. No central authority. No government regulator. No paper trail. A single transaction can move millions across borders in minutes. North Korea realized this early. They built a full cyberwarfare unit dedicated to crypto theft - not for profit, but for survival.

According to UN assessments, every dollar stolen since 2017 has gone to weapons development. Missile fuel. Uranium enrichment. Testing facilities. The money doesn’t sit in bank accounts. It’s spent on materials, engineers, and equipment - all hidden behind layers of shell companies and black-market trades. The hackers aren’t criminals. They’re soldiers.

Five specialized cyberattack modules labeled with North Korean hacker group names, arranged as precision components.

Who’s Behind It? The Groups You Need to Know

It’s not one team. It’s five, working in sync.

  • Lazarus Group: The oldest and most notorious. Responsible for early attacks, including the 2018 $100 million hack of Bithumb.
  • TraderTraitor: Focused on wallet providers. Hit Atomic Wallet, Alphapo, and CoinsPaid in 2023.
  • Jade Sleet: Specializes in social engineering. Used the LinkedIn tactic in the DMM case.
  • UNC4899: Targets exchanges with weak KYC controls. Active since 2022.
  • Slow Pisces: Masters of laundering. Handles the post-theft cleanup - the money trail cleanup.

Each group has a role. One finds the entry point. One infiltrates. One moves the money. One covers the tracks. They operate like a military unit - no wasted effort. No overlap. Just precision.

The Bigger Picture: Crypto Is Now a National Security Issue

This isn’t just about lost coins. It’s about global stability.

In 2024, North Korean groups stole 61% of all cryptocurrency taken worldwide - even though they carried out only 20% of the attacks. That means they’re not just stealing more - they’re stealing smarter. They hit the biggest targets. They avoid small exchanges. They wait for the right moment. They exploit gaps in security that others overlook.

Exchanges now face higher insurance costs. Regulators are demanding multi-signature wallets. Some platforms have stopped supporting certain tokens entirely. Users are losing trust. And yet, the attacks keep succeeding.

The U.S. Department of Defense, Japan’s National Police Agency, and the FBI have formed joint task forces. They’ve published detailed reports. They’ve named names. They’ve released technical indicators - IP addresses, malware signatures, wallet patterns. But North Korea doesn’t care. They keep changing tactics. They keep adapting.

Hand about to click a phishing file shaped like a handshake, with shadowy blockchain manipulation in background.

What’s Next? The Arms Race in Crypto Security

The crypto world is playing catch-up. But the hackers are always ahead.

Some exchanges now require employees to use hardware keys for every transaction. Others have banned remote access entirely. A few are using AI to flag suspicious behavior - like a user logging in from a new device after hours. But none of it is foolproof.

The real problem? Human error. No amount of encryption can stop someone who clicks a fake job link. No firewall can block a trusted employee who’s been manipulated for months.

Experts warn the next phase will involve AI-powered phishing. Imagine a fake LinkedIn message that perfectly mimics your boss’s tone, your company’s style, even your internal jargon. It’s already being tested. And when it launches, the next $1 billion heist could happen before anyone notices.

The $3 billion stolen so far is just the beginning. With sanctions tightening and traditional revenue streams drying up, North Korea has only one path left: crypto. And they’re not stopping.

What You Can Do - Even If You’re Not an Exchange

You might think this doesn’t affect you. But it does.

  • If you use crypto: Double-check every transaction. Never send funds to a new address without verifying it twice.
  • If you work at a company that handles crypto: Demand mandatory training on social engineering. Ask if your team uses hardware keys. Push for multi-signature controls.
  • If you’re a developer: Never share code publicly without scanning for hidden backdoors. Malicious scripts can hide in plain sight.

The biggest defense isn’t technology. It’s awareness. The hackers don’t need to break in. They just need you to let them in.

Tags:
Similar Posts
What Are Public and Private Keys in Cryptocurrency?

What Are Public and Private Keys in Cryptocurrency?

Bitrecife Crypto Exchange Review: Is It Safe or a Scam?

Bitrecife Crypto Exchange Review: Is It Safe or a Scam?

51% Attack Risk for Small Cryptocurrencies: How Easy It Really Is to Break Them

51% Attack Risk for Small Cryptocurrencies: How Easy It Really Is to Break Them

16 Comments

  • Image placeholder

    Danny Kim

    February 27, 2026 AT 09:26
    So let me get this straight - North Korea’s hacking team is basically the ultimate LinkedIn recruiter scam artist? 🤯 I mean, who knew a Python test could be the new weapon of mass financial destruction. This isn’t hacking. It’s psychological warfare with a side of fake job offers.
  • Image placeholder

    Carl Gaard

    February 28, 2026 AT 05:52
    I can’t believe people still fall for this. 😭 I got a DM last week that looked exactly like this - ‘Hey, we loved your GitHub!’ Then a .zip file. I didn’t open it. But my cousin did. Lost $8k. RIP, Dave. We’re all just one click away from being a statistic.
  • Image placeholder

    Michael Rozputniy

    February 28, 2026 AT 16:09
    this is all a psyop by the fbi to justify more surveilance and crypto bans. they dont even know if its north korea. maybe its isreal or china. they just want you scared. the real theft is your privacy. theyre using this to make you hand over your keys. dont trust the narrative.
  • Image placeholder

    Ryan Burk

    February 28, 2026 AT 23:04
    Lmao $3 billion? That’s less than Elon spent on X in a month. Why are we acting like this is some apocalyptic event? Crypto’s a casino. If you don’t know how to protect yourself, you deserve to lose. Stop pretending this is a national security crisis - it’s just bad financial literacy.
  • Image placeholder

    Cathy Sunshine

    March 1, 2026 AT 18:28
    The real tragedy isn’t the theft - it’s the human cost of our collective delusion. We built a system where trust is commodified, attention is monetized, and vulnerability is exploited. The hackers didn’t invent this - we did. We optimized for convenience over conscience. Now we’re reaping the existential ROI of our own narcissism. The blockchain doesn’t lie. But we sure do.
  • Image placeholder

    Michelle Xu

    March 3, 2026 AT 01:09
    I’ve worked in fintech for over a decade, and this is terrifyingly accurate. The DMM hack? I’ve seen the exact same playbook in our own org. They don’t need to crack your firewall - they just need to crack your HR onboarding email. We now require 3-person approval for any wallet change, and mandatory quarterly social engineering drills. It’s not sexy. But it works. If your company hasn’t done this yet - do it. Today.
  • Image placeholder

    Neeti Sharma

    March 3, 2026 AT 04:12
    USA always cry wolf but china and india never steal crypto why? because we are honest and hardworking. north korea is just poor country trying to survive. you americans make crypto so easy to steal because you dont even lock your doors. shame on you
  • Image placeholder

    Elizabeth Smith

    March 4, 2026 AT 20:03
    The fact that we’re still treating this like a cybersecurity issue instead of a moral failure says everything about our society. We don’t punish greed. We don’t shame exploitation. We just build fancier firewalls and call it progress. Meanwhile, real people are starving because a state-sponsored crew turned LinkedIn into a weapons platform. We’re not victims. We’re enablers.
  • Image placeholder

    Jessica Carvajal montiel

    March 5, 2026 AT 01:48
    This is the new world order. The state is the hacker. The people are the vulnerability. The crypto is just the vessel. They don’t care about money - they care about control. And if you think this stops with North Korea, you’re not paying attention. The next one won’t be a nation. It’ll be a corporation. And they’ll have your government’s blessing.
  • Image placeholder

    Jan Czuchaj

    March 6, 2026 AT 05:15
    There’s a deeper philosophical question here: if a person is manipulated into willingly handing over access to billions - is it theft, or is it surrender? We’ve created a culture where convenience trumps caution, where trust is assumed, not earned. The hackers didn’t steal the keys. We gave them to the first person who asked nicely. This isn’t a technical failure. It’s a failure of collective will. We chose to believe the lie. And now we’re living with the cost.
  • Image placeholder

    Felicia Eriksson

    March 7, 2026 AT 05:08
    I just want to say thank you to everyone who’s trying to fix this. The devs building better auth, the educators teaching phishing awareness, the auditors digging through chains - you’re the quiet heroes. We don’t talk about you enough. Keep going. The world needs your calm, steady work.
  • Image placeholder

    Patrick Streeb

    March 8, 2026 AT 16:39
    The structural vulnerability exposed here is not technological, but institutional. Financial systems designed for speed and liquidity have systematically deprioritized verification. This is not an anomaly - it is the inevitable consequence of regulatory arbitrage. Until exchanges are legally required to implement human-centric security protocols - not merely technical ones - this pattern will persist. The solution lies not in better encryption, but in better governance.
  • Image placeholder

    Cameron Pearce Macfarlane

    March 9, 2026 AT 13:33
    I’ve been saying this for years - crypto is a scam. All of it. The blockchain? A glorified spreadsheet. The hackers? Just exposing the truth. If you can’t protect your money, you shouldn’t have it. This isn’t North Korea’s fault - it’s yours. You believed in a digital fairy tale. Now wake up.
  • Image placeholder

    Phillip Marson

    March 10, 2026 AT 17:20
    The real villain here isn’t Lazarus or Jade Sleet. It’s the VC who funded 17 crypto startups last year with zero KYC. It’s the exchange that said ‘trust us’ while their CEO got a Tesla. It’s the regulators who let this happen because they didn’t wanna ‘stifle innovation.’ This isn’t a heist. It’s a coronation. And we all showed up to the party.
  • Image placeholder

    Sean Logue

    March 11, 2026 AT 16:12
    As someone who’s lived in 5 countries, I’ve seen how culture shapes security. In Japan, they train people to say ‘no’ to weird requests. In the U.S.? We say ‘sure, here’s my password.’ Maybe the fix isn’t tech - maybe it’s a cultural reset. Teach kids to question. Teach adults to pause. Before you click, ask: ‘Who really asked for this?’
  • Image placeholder

    aaron marp

    March 12, 2026 AT 08:12
    I’m not a crypto expert, but I know this: the most dangerous thing in any system isn’t the firewall - it’s the person who thinks they’re too smart to get scammed. You don’t need more tools. You need more humility. The hackers aren’t geniuses. They’re just better at reading people than we are at reading ourselves. Slow down. Double-check. Breathe. The money will still be there tomorrow.

Write a comment

Categories

Archives

Menu

© 2026. All rights reserved.