North Korean state hackers stole over $2B in crypto in 2025

CrowdStrike’s 2026 Financial Services Threat Landscape report found state-affiliated North Korean hackers were responsible for more than $2 billion in cryptocurrency thefts in 2025, a 51% year-over-year increase. The report ranks DPRK-linked groups as the largest threat to crypto users by dollar value of assets taken.

The firm reported that adversaries ran fewer campaigns in 2025 but focused on higher-value targets, producing larger returns. The report states, “Stolen proceeds are almost certainly laundered to fund the regime’s military programs,” and notes the actors prioritized attacks that made it easier to cash out assets with anonymity compared with traditional financial systems.

Researchers documented a mix of tactics used to compromise projects and platforms. Attack methods included social engineering, malware, exploitation of remote hiring practices and the use of third-party intermediaries to build trust and gain access. CrowdStrike said those techniques helped attackers reach developer tools and internal systems that hold or control digital assets.

In April 2025, the Drift Protocol decentralized exchange reported a compromise after developers had formed a working relationship with technology workers they met at a major industry conference. Over six months, the collaborators were given development access, after which malware was deployed on developer machines, leading to losses of about $280 million. The Drift team emphasized that the individuals who met in person were not North Korean nationals and noted that DPRK actors often use intermediaries for face-to-face relationship-building.

The Ethereum Foundation identified roughly 100 DPRK-backed hackers and threat actors who had infiltrated crypto projects in the same period. An onchain analyst documented a group of IT workers linked to North Korea who reportedly earned about $1 million per month while employed at various technology companies, a pattern that investigators say can provide access and facilitate movement of funds.

CrowdStrike warned the combination of targeted, high-value hacks and laundering techniques increases the difficulty of recovering assets and attributing theft. The report recommends stronger operational security at projects and exchanges, including tighter vetting of contributors, improved detection of unusual login and code-change activity, and enhanced coordination between industry participants and law enforcement.

Background reporting and multiple security firms have repeatedly connected a range of intrusions and scams to DPRK-affiliated infrastructure and groups. CrowdStrike’s findings add to those assessments by documenting changes in attacker behavior and the scale of losses in 2025.