Threat actors with ties to the Democratic People’s Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December.
The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole $1.3 billion, according to Chainalysis’ Crypto Crime Report shared with The Hacker News.
“This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises,” the blockchain intelligence company said. “Overall, 2025’s numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion.”
The February compromise of cryptocurrency exchange Bybit alone is responsible for $1.5 billion of the $2.02 billion plundered by North Korea. The attack was attributed to a threat cluster known as TraderTraitor (aka Jade Sleet and Slow Pisces). An analysis published by Hudson Rock earlier this month linked a machine infected with Lumma Stealer to infrastructure associated with the Bybit hack based on the presence of the email address “trevorgreer9312@gmail[.]com.”
The cryptocurrency thefts are part of a broader series of attacks conducted by the North Korea-backed hacking group called Lazarus Group over the past decade. The adversary is also believed to be involved in the theft of $36 million worth of cryptocurrency from South Korea’s largest cryptocurrency exchange, Upbit, last month.
Lazarus Group is affiliated with Pyongyang’s Reconnaissance General Bureau (RGB). It’s estimated to have siphoned no less than $200 million from over 25 cryptocurrency heists between 2020 and 2023.
The Lazarus Group is one of the most prolific hacking groups that also has a track record of orchestrating a long-running campaign referred to as Operation Dream Job, in which prospective employees working in defense, manufacturing, chemical, aerospace, and technology sectors are approached via LinkedIn or WhatsApp with lucrative job opportunities to trick them into downloading and running malware such as BURNBOOK, MISTPEN, and BADCALL, the last of which also comes in a Linux version.
The end goal of these efforts is two-pronged: to collect sensitive data and generate illicit revenue for the regime in violation of international sanctions imposed on the country.
A second approach adopted by North Korean threat actors is to embed information technology (IT) workers inside companies across the world under false pretenses, either in an individual capacity or through front companies like DredSoftLabs and Metamint Studio that are set up for this purpose. This also includes gaining privileged access to crypto services and enabling high‑impact compromises. The fraudulent operation has been nicknamed Wagemole.
“Part of this record year likely reflects…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
