North Korean Hackers Linked to 60% of All Crypto Theft Losses in 2025

_{Photo credit: mundosemfim / Shutterstock.com}

North Korean hackers stole $2.06 billion in cryptocurrency in 2025, accounting for 60% of all crypto theft losses that year, according to new analysis from blockchain security firm CertiK.

CertiK’s Skynet DPRK Crypto Threats Report finds that North Korea has “industrialized cryptocurrency theft into a primary state revenue mechanism,” stealing an estimated total of $6.75 billion across 263 documented incidents between 2016 and 2026. 

While the majority of crypto theft losses can be attributed to hackers associated with North Korea, only 12% of documented incidents in 2025 were linked with the country, demonstrating a focus on high-value targets. 

In just one 2025 incident, North Korean hackers stole $1.5 billion from the cryptocurrency firm Bybit. This was the largest theft of cryptocurrency ever recorded.

The report said state-backed attackers have evolved into highly organized groups targeting crypto infrastructure. These are thought to operate under North Korea’s foreign intelligence service, the Reconnaissance General Bureau, with approximately 7,000 personnel.

The CertiK report says social engineering is crucial to their operations and that most major North Korean heists begin with “human manipulation.” Hackers are known to pose as investors, trading firms, and job candidates to infiltrate crypto companies. The report warns that AI-enhanced social engineering, further IT worker infiltration, and new laundering vectors are key expected trends for 2026

The report also warns that stolen funds are moved rapidly through complex laundering channels. In the case of the record-breaking Bybit theft, more than 86% of the stolen ETH was laundered into Bitcoin within a month.

Cryptocurrency theft is believed to have become a major revenue stream for the North Korean state, used to support its nuclear weapons program. 

To limit risk, CertiK has urged potentially vulnerable companies to use video interviews with liveness checks and background verification designed to detect AI and borrowed identities, apply zero-trust security policies to remote freelancers, inform employees of social engineering risks, introduce withdrawal delays, and protect critical infrastructure such as bridges and hot wallets.