State-affiliated hackers from North Korea stole more than $2 billion in cryptocurrency during 2025, marking a 51% year-over-year increase despite conducting fewer attacks, according to a new report from cybersecurity firm CrowdStrike. The findings underscore the growing sophistication and financial impact of DPRK-linked cyber operations targeting the digital asset industry.
CrowdStrike report details shift in tactics
The 2026 Financial Services Threat Environment report from CrowdStrike identifies North Korean hackers as the most financially damaging threat group for cryptocurrency users. While the number of campaigns decreased compared to 2024, the hackers achieved significantly higher returns by focusing on high-value targets, including Web3 projects and cryptocurrency exchanges. CrowdStrike noted that stolen funds are almost certainly laundered to support the regime’s military programs, and the relative anonymity of crypto transactions makes the sector an attractive target.
Also read: CME and Nasdaq to launch multi-crypto index futures with BTC, ETH, SOL and XRP exposure
In-person infiltration and remote hiring schemes
The report highlights a troubling evolution in North Korean hacking methods, which now extend beyond remote malware deployment to include in-person infiltration. In April 2025, the decentralized exchange Drift Protocol was compromised after DPRK-affiliated technology workers met the development team at a major industry conference and built a relationship over six months. The hackers later deployed malware that led to $280 million in losses. The Drift team noted that the individuals who appeared in person were not North Korean nationals, but rather third-party intermediaries used to establish trust.
Ethereum Foundation identifies 100 DPRK-backed hackers
Also in April 2025, the Ethereum Foundation identified 100 North Korean-backed hackers and threat actors who had infiltrated various crypto projects. Many of these individuals were hired as remote workers. Onchain investigator ZachXBT separately documented a group of North Korean IT workers earning approximately $1 million per month through employment at technology companies.
Also read: XRP whale wallets hit record highs as accumulation signals potential breakout above $1.50
Why this matters for the crypto industry
The findings from CrowdStrike and other security firms highlight a persistent and escalating threat to the cryptocurrency ecosystem. The shift toward fewer but more lucrative attacks suggests that DPRK hacking groups are refining their strategies, focusing on projects with larger asset pools and weaker security protocols. For crypto companies, this underscores the need for rigorous background checks, enhanced cybersecurity measures, and greater awareness of social engineering tactics that extend into the physical world.
Conclusion
The 51% rise in crypto losses from North Korean hackers in 2025, as detailed by CrowdStrike, signals a dangerous evolution in state-sponsored cybercrime. With stolen funds funneled to military programs and tactics growing more sophisticated, the threat demands heightened vigilance from the entire blockchain and cryptocurrency industry.
FAQs
Q1: How much cryptocurrency did North Korean hackers steal in 2025?
According to CrowdStrike, DPRK-linked hackers stole over $2 billion in crypto assets in 2025, a 51% increase from the previous year.
Q2: Why are North Korean hackers targeting cryptocurrency?
CrowdStrike reports that crypto platforms offer a degree of anonymity that makes stolen funds easier to launder and transfer compared to traditional financial systems. The proceeds are believed to fund the North Korean regime’s military programs.
Q3: How are North Korean hackers infiltrating crypto projects?
Tactics include remote hiring of fake IT workers, deploying malware through compromised developer machines, and even in-person meetings at industry conferences using third-party intermediaries to build trust before executing attacks.
Be the first to comment