How North Korea’s shadow cyber-army stole $1.5 billion in one hit – and is already over $2 billion for 2025
The world watched in stunned silence when the anonymous numbers started pouring in. In February 2025, the FBI publicly identified that hackers tied to the Lazarus Group — a cyber-unit linked with the North Korean government — had breached the Dubai-based cryptocurrency exchange Bybit, stealing approximately $1.5 billion in virtual assets. That raid alone shattered previous records and sent ripple effects across global crypto markets. But according to detailed blockchain-analytics reports released later, the story doesn’t stop there: by October 2025, North Korea-linked cyber-actors had amassed more than $2 billion in stolen crypto so far this year.
The theft shook the foundations of trust in the crypto industry. On the surface, the hack appeared simple — funds moved from a wallet, assets routed through multiple addresses, and ultimately converted into other cryptocurrencies. But beneath that façade lies a chilling narrative of state-sponsored cybercrime, sophisticated laundering schemes, and the intersection of digital finance and international security.
It began in February. Bybit, which handles tens of millions of users globally, discovered unauthorized access to a cold wallet holding large amounts of cryptocurrency. The attackers — later tied by the FBI to the “TraderTraitor” campaign of the Lazarus Group — gained control of an Ether wallet and moved the funds to a series of obscure addresses. Investigators flagged the scale immediately: this was not a typical hack of a small firm or a minor exchange; this was a strategic blow deep into the crypto economy. The speed of conversion, the dispersion of funds, and the silence around the attackers’ identity all pointed to a well-resourced, state-backed entity.
By spring, analysts were piecing together the implications. The British blockchain intelligence firm Elliptic reported that North Korea-linked hacking groups had already taken more than $2 billion in cryptocurrencies in 2025 — with three months remaining. Their cumulative known haul since 2017 now tops $6 billion. That sum is staggering for a regime long isolated, impoverished and heavily sanctioned — and yet it is now one of the most prolific cyber-thieves in the digital asset realm.
Experts believe that much of this stolen wealth is being used to fund the military, ballistic missile programmes and nuclear ambitions of the Democratic People’s Republic of Korea (DPRK). In a U.N. report, investigators noted that North Korean cyber actors deliberately target cryptocurrency services and launder the proceeds through a web of shell companies, overseas facilitators and covert accounts in countries such as China, Russia, Vietnam and Cambodia.
What makes this trend extraordinary is not merely the amount stolen, but how rapidly the tactics have evolved. Gone are the days when North Korean hackers relied solely on outdated banks in developing countries. Instead, they have shifted into high-stakes hacks of mainstream exchanges, leveraged social engineering to target high-net-worth individuals, and adopted multi-stage laundering schemes designed to outpace blockchain tracing. For example, Elliptic and other analysts flagged how in 2025 major thefts were initiated not through a code vulnerability alone, but through tricking insiders, getting access to private keys, and rapidly shifting funds across dozens of chains.
To understand the scale: the Bybit heist alone accounted for almost $1.5 billion — nearly three-quarters of the total that analysts say has been attributed to North Korea for the year so far. After that breach, cyber-crime observers expected a lull or a crackdown; instead they saw accelerating theft. This marks a clear jump in both boldness and sophistication for North Korea’s cyber apparatus.
It’s helpful to remember that this is not a rogue gang of criminals operating independently — the Lazarus Group and related units are widely believed to be under the direction, or heavy influence, of the North Korean intelligence machinery, notably the Reconnaissance General Bureau (RGB). That alignment means that each hack is not simply an opportunistic theft; it is a strategic finance operation for one of the world’s most isolated and heavily sanctioned regimes.
The international implications are profound. From a regulatory perspective, the attack exposed critical vulnerabilities in the crypto market infrastructure. Exchanges are under growing pressure to tighten controls, secure cold wallets, monitor movements, and cooperate across borders to stop high-value thefts. Meanwhile, governments now face a more acute problem: stolen crypto is no longer just criminal loot — it may be funding missile launches, nuclear research and global destabilisation.
In March 2025, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) reiterated that North Korean cyber actors actively target cryptocurrency and use virtual asset theft to provide resources for ballistic missile and WMD programmes. That same month, new sanctions were introduced against individuals and entities believed to aid in the laundering of stolen crypto.
The psychological impact is also notable. As crypto devotees flooded the market believing in decentralised freedom and alternate finance systems, they were reminded that even those systems remain vulnerable to state-level attack. The hack shattered investor confidence, triggered regulatory reviews and sparked a race in the crypto industry to beef up security. Some industry insiders say exchanges are now treating ‘what if North Korea targets us’ as a genuine design scenario. The speed and scale of the Bybit heist served as a wake-up call.
For the DPRK it is, in many ways, a business model. Sanctions cripple the country’s ability to earn revenue through traditional means; cyber-theft of digital assets offers both anonymity and a route around those constraints. Some estimates suggest that each major theft helps offset the cost of sanctions, finance missile tests, and pay overseas agents. According to the U.N. annex cited in an official Japanese analysis, North Korean cyber-actors stole at least $1.65 billion from January to September 2025 — the bulk of which was attributed to the February Bybit attack.
Of course, attribution and precise tracking of stolen crypto remain challenging. Analysts caution that the “over $2 billion” figure may be a conservative estimate — some thefts remain undisclosed, obfuscated by complex cross-chain laundering, or misattributed. That said, the trend line is undeniable: North Korea’s cyber-theft is escalating, both in ambition and outcome.
What does that mean for the future? We are likely entering a new era in which digital assets become a key proxy battleground for geopolitical struggle. Cryptocurrency exchanges will increasingly be treated as part of national security architecture, not just financial firms. Regulators and governments will push for deeper cooperation, faster data-sharing and stronger cross-border enforcement. For the DPRK’s regime, the message is clear: cyber-theft is not a last resort, it may now be core to their revenue strategy.
For investors, users and the broader public, the lesson is equally stark: the promise of decentralisation does not mean invulnerability. Even the largest, most prominent exchange can be struck by a state-backed actor. The hacks are not just headline dollars — they are also a signal of shifting power in the digital economy.
In the months ahead, the world will be watching how the stolen assets are laundered, traced, frozen — or lost forever. Will governments catch up? Will exchanges redesign architecture to protect against state-level attackers? For now, one thing is certain: when the hackers tied to North Korea’s cyber-apparatus steal, the impact is global, the sums are huge and the implications stretch far beyond finance into the heart of international security.