North Korea-related groups linked to North Korea New review From the Blockchain forensics firm Elliptic, the largest annual total recorded, and three months 2025 are still going.
The new data emphasizes Pyongyang’s growing hopes of stealing cyber-enabled to fund weapons programs. According to United Nations and multiple intelligence agenciesThe proceeds from these hacks are used to supply North Korea’s nuclear and ballistic missile development.
“The size of a crypto robbery associated with North Korea this year has not yet occurred – and a clear indication of how deep the regime is dependent on cybercrime,” Elliptic said in his report shared with CoinDesk.
Elliptic’s findings have brought a total known crypto robbery associated with North Korea to more than $ 6 billion since regime hacking operations began to target the crypto sector around 2017.
Bybit Hack Drives Record Year
The 2025 figure is dominated by February’s $ 1.46 billion hack bybit exchangeone of the largest crypto robbery recorded.
Elliptic also linked attacks against LND.FI, Woo X, and Seedify in North Korea this year, with more than 30 additional incidents involving smaller exchanges and defi platforms.
The $ 2 billion total almost triple last year and more than the previous record of $ 1.35 billion set in 2022, when actors associated with North Korea were behind major violations of the Ronin Network and Harmony Bridge.
Move toward social engineering
While centralized exchanges remain a major target, Elliptic noted a strategic move toward attacks on individuals, especially high-value crypto holders and company executives.
Rebounding crypto prices in 2025, such targets became increasingly benefiting, often lacking the stable security infrastructure of institutional platforms.
“The weak point in cryptocurrency security is now, not technological,” Elliptic said.
This shift has seen hackers that rely more on deception than code exploits, using tactics such as phishing, fake job offers, and compromised social media accounts to get access to wallets and private keys.
A breed of crypto-laundering arm
As with the improvement of blockchain analytics and law enforcement collaboration, North Korea’s launch operations have become more complex, Elliptic found.
Following the Bybit violation, investigators monitored many cycles of cross-chain swaps between Bitcoin, Ethereum, BTTC and Tron-often using hidden protocols and self-issued tokens to disguise sources.
The new launch methods include a lot of mixing mixing, using obscene blockchains and creating new tokens issued directly through laundering networks.
