From Bybit To Bitcoin Billionaires: Inside North Korea’s 2025 Cybercrime Surge
In Brief
North Korean hackers have stolen over $2 billion in cryptocurrency in 2025 alone, increasingly relying on sophisticated social engineering and insider infiltration to fund the regime’s sanctioned programs.
North Korean cybercriminals have looted more than $2 billion in cryptocurrency in 2025 alone, setting a new record for state-sponsored digital theft, according to blockchain analytics firm Elliptic. The figure, already the highest on record, could rise further before year’s end — a sign that Pyongyang’s cyber-operations have become both more aggressive and more professionalized.
A Year of Unprecedented Losses
Elliptic attributes the surge primarily to February’s $1.46 billion breach of the Bybit exchange, the largest crypto heist in history. Yet the company also tied more than thirty additional hacks this year to North Korean groups such as Lazarus.
Analysts from Elliptic mentioned that the actual figure might be even larger; many thefts share technical and behavioral similarities, yet do not have enough forensic evidence for a clear attribution.
The report points out a continuous underreporting issue: there are some events that have not been reported or discovered; thus, it is not easy to determine the total damage caused globally.
Chainalysis data confirms the pattern. The hackers associated with North Korea managed to take around $1.34 billion in 2024, which is twice as much as the previous year — a clear indication of the fast-paced development of the DPRK’s cyber operations.
Security experts say the funds are a crucial revenue stream for the regime, which uses digital theft to help bankroll its weapons and missile programs amid heavy international sanctions.
From Code Exploits to Human Manipulation
While earlier waves of attacks exploited vulnerabilities in smart-contract code or exchange infrastructure, this year’s operations leaned heavily on social engineering — tricking people rather than breaking software.
Elliptic observed that the weak point in crypto security is now “increasingly human.” Hackers have impersonated investors, recruiters, and venture-capital collaborators to approach both executives and developers at crypto firms.
A common scheme involves fake video calls in which a supposed connection error prompts the victim to run a snippet of “diagnostic” code — malware that grants attackers remote access to wallets or company systems.
Developers have also been lured by job offers requiring them to complete a “skills test” through a cloned repository seeded with malicious files.
Rising cryptocurrency prices, including Bitcoin’s new all-time highs, have only intensified the problem. With fortunes made overnight, high-net-worth holders have become prime targets, often lacking the layered defenses of large exchanges.
Major Incidents Illustrate the Pattern
In September, blockchain investigator ZachXBT identified suspicious outflows from SBI Crypto, a subsidiary of Japan’s SBI Group. Around $21 million in bitcoin, ether, litecoin, dogecoin, and bitcoin cash was siphoned from company-linked addresses and funneled through instant exchanges before disappearing into Tornado Cash, a mixing service already sanctioned by the U.S. Treasury.
ZachXBT noted that the tactics resembled prior North Korean state-backed operations, raising fears that the SBI incident is another link in a long chain of DPRK-sponsored heists.
SBI Group has not publicly acknowledged the breach or responded to media requests for comment.
Even established global exchanges have not been immune. A Bloomberg investigation this year revealed that Crypto.com had suffered a security lapse in early 2023 after teenage hackers affiliated with the Scattered Spider group accessed an employee account. The breach allegedly exposed limited user data, though no funds were stolen.
The platform’s handling of the episode drew criticism after claims surfaced that it had downplayed the incident.
CEO Kris Marszalek rejected those claims as “unfounded,” emphasizing that the phishing attempt was swiftly contained and disclosed to regulators. He insisted the company maintains a “security-first culture” and continually hardens its systems.
These episodes underscore a sobering reality: even well-resourced, regulated firms can be compromised through a single employee.
Inside Jobs and Fake Developers
North Korea’s hackers are also infiltrating crypto firms from within, posing as IT professionals or bribing insiders, according to Binance co-founder Changpeng “CZ” Zhao.
In recent posts on X, Zhao warned that DPRK agents “pose as job candidates” seeking positions in development, security, or finance — gaining a literal foot in the door. Some even masquerade as employers to lure real staff into fake interviews, during which a supposed Zoom problem leads to the installation of a malicious “update.”
Others send “sample code” or links packed with hidden exploits, or approach support teams pretending to be customers in need of technical help. In certain cases, Zhao said, operatives have offered bribes to employees or contractors in exchange for data access.
He urged exchanges to tighten hiring protocols and employee training, stressing that many attacks start with an innocent-looking file.
The warnings echo those from Coinbase, which recently reported similar infiltration attempts.
CEO Brian Armstrong said the company has strengthened internal security by mandating in-person training for U.S.-based staff and additional background checks for anyone with system-level privileges.
Armstrong remarked that it sometimes feels as if “hundreds of new operatives are graduating every quarter” from North Korea’s hacking academies.
The SEAL Team’s Counter-Offensive
To combat this wave of impostors, a group of white-hat hackers known as the Security Alliance (SEAL) has been cataloging fake developer profiles linked to the DPRK
According to SEAL’s findings, at least 60 North Korean agents have been posing as freelance IT workers under fabricated identities, complete with falsified GitHub accounts, resumes, and even counterfeit citizenship documents.
The repository lists aliases, email addresses, and affiliated firms — including several that unknowingly hired them.
Led by Paradigm researcher Samczsun, the SEAL team has conducted more than 900 investigations since its 2024 launch.
Their work highlights the blurred boundary between espionage and employment, as Pyongyang’s operatives increasingly rely on legitimate remote-work platforms to penetrate Western tech and finance ecosystems.
In one case, four undercover developers infiltrated multiple startups and stole about $900,000, demonstrating how freelance contracting can double as cyber-espionage.
Pyongyang’s Hidden Workforce
Analysts believe the billions stolen in crypto — together with ransomware and IT-worker schemes — are vital to North Korea’s sanctioned economy. The funds help sustain nuclear and missile programs that would otherwise be starved of resources.
Beyond cryptocurrency, researchers at Okta have traced North Korean “clandestine IT workers” expanding into AI firms, fintech startups, healthcare organizations, and even public-sector institutions across the U.S., Middle East, and Australia.
The operatives not only get salaries but in some cases, they get access to sensitive corporate systems, which can later be misused for data theft or blackmail after their contracts expire.
The Road Ahead
Taken together, 2025’s record-breaking thefts illustrate the industrial scale of North Korea’s cyber-operations. What began as opportunistic hacks on exchanges has evolved into a sophisticated ecosystem of digital larceny, social engineering, and infiltration.
The line between hacker, employee, and intelligence agent has blurred — and with it, the traditional boundaries of cybersecurity defense.
According to experts, today’s battle relies on human vigilance as much as technology. More vetting of remote workers, rigorous training of employees, and international law enforcement cooperation are necessary.
As Elliptic warned, the weak link in cryptocurrency security is no longer just code — it’s people.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
