**North Korea’s Crypto Heist Machine: How $2 Billion in 2025 Made It t

North Korea’s cyber operations have evolved into a **$6.75 billion industry**, with 2025 marking a record year for digital theft. New data reveals the regime’s hackers siphoned over **$2 billion in cryptocurrency and tokens**—nearly **60% of the global total**—using a mix of large-scale platform breaches and relentless individual targeting.

The surge was driven by a **February 2025 attack on Bybit**, where North Korean actors allegedly walked away with **$1.5 billion** in digital assets. This single operation accounted for nearly **three-quarters of all service compromises** globally, according to blockchain analysts.

But the regime’s tactics go beyond brute-force hacks. While the number of known attacks dropped by **74%**, the value extracted skyrocketed—suggesting only the most sophisticated operations are being detected. Personal wallets became a prime target, with **160,000 attacks** against **80,000 victims**, including a disproportionate focus on **Solana-based wallets**, where **26,500 users** were compromised.

From Crypto to Cash: The Laundering Puzzle

Turning stolen crypto into usable funds is a **highly technical game of cat and mouse**. The Bybit haul, for example, was dispersed through

**North Korea’s Crypto Heist Machine: How $2 Billion in 2025 Made It the World’s Top Digital Thief**

Multi-layered mixing—shuffling funds across chains to obscure trails.
Obscure blockchains—using networks with weak transaction tracking.
Protocol token purchases—reducing costs by buying utility tokens instead of cashing out directly.
Refund address tricks—redirecting assets to fresh wallets undetected.
Custom laundering tokens—creating and trading new assets tied to illicit networks.

These methods make recovery nearly impossible, forcing exchanges and governments into a reactive stance.

North Korea’s cyber strategy now includes **executive-level deception**. Fake investors and acquirers—posing as strategic partners—probe companies for system access, particularly in **AI and blockchain sectors**. This builds on earlier IT worker fraud schemes, like the **Amazon breach** where North Korean operatives infiltrated U.S. systems under false identities.

For a nation where crypto theft now represents **13% of GDP**, the stakes are existential. With 2026 on the horizon, analysts warn that **Bybit-level attacks could repeat**—unless detection methods improve.