The sophistication of North Korean attacks targeting the cryptocurrency industry now enables thieves to conceal their stolen funds more effectively from authorities.
Demystifying the North Korean Threat assesses the increasing number of cybercriminal groups associated with North Korea. Different cybercriminal groups carry out large-scale financial theft that funds North Korean military and nuclear programs. Record-Breaking Crypto Thefts Linked to North Korea
North Korea has committed several prominent instances of theft of virtual currency over the past several years. Hacker intruders from North Korea successfully stole approximately $3 billion through their operations between 2017 and 2023, as documented by the United Nations. In 2024 and 2025, North Korean hackers managed to steal $1.7 billion from two prominent exchanges, WazirX and Bybit. The increasing sophistication of North Korean cybercriminals through their repeated attacks indicates that security measures become tougher to stop such breaches from occurring.
As a well-known hacking operation, North Korea maintains ties with The Lazarus Group. This group’s attacks are directed mainly at banking organizations and cryptocurrency management systems. AppleJeus, Dangerous Password, and Spinout operate independently of the Lazarus Group by running phishing scams and distributing fake job opportunities and virus-infected, legitimate-looking software. These methods have caused billions of dollars in financial losses for both company entities and crypto platform users worldwide.
Sophisticated hacking methods exposed
In February 2025, Bybit suffered the largest cryptocurrency hack, with losses totaling $1.5 billion. Initially believed to be a phishing attack, a deeper investigation revealed a far more advanced technique. Instead of attacking the exchange directly, hackers from North Korea’s Reconnaissance General Bureau compromised Safe{Wallet}, a widely used digital wallet system. They secretly embedded a backdoor into the software, allowing them to steal funds over time without immediate detection.
The attackers chose a new tactic that differed from earlier approaches, mostly focusing on cryptocurrency exchanges to strike their infrastructure instead. The change in the North Korean cyberattack approach represents developing hacker methods to achieve maximum success while minimizing the chances of discovery.
Laundering stolen funds to evade authorities
The acquired cryptocurrency gives North Korean hackers access to traditional money laundering schemes, which help them hide their transaction trails. North Korean hackers divide substantial cash transfers into smaller portions, transferring them through various digital wallets until they convert the funds into Bitcoin. The process successfully obstructs authorities from tracking stolen assets.
Lazarus Group possesses crypto assets acquired from cyber thefts, which it stores for long periods before converting to cash. It implements this approach to minimize the chances of quick discovery. The FBI, along with other law enforcement agencies, has dealt with criminal charges against some Lazarus Group members. Yet, North Korean hackers sustain their operations by developing new security bypass techniques.