North Korea hackers intensify crypto heists

Cybersecurity analysts warn that operators linked to North Korea have expanded their assault on digital asset platforms, a year after a record-breaking breach at Dubai-based exchange Bybit exposed structural weaknesses across the sector.

On 21 February 2025, attackers attributed by multiple governments and private security firms to Pyongyang stole about $1.46 billion in cryptoassets from Bybit, marking the largest confirmed theft in the history of the cryptocurrency market. Investigations by blockchain forensics companies and Western intelligence agencies concluded that the operation bore the hallmarks of groups commonly tracked under names such as Lazarus Group, long accused of generating revenue for the Democratic People’s Republic of Korea’s weapons programmes.

Twelve months on, incident response teams report that activity tied to these networks has not abated. Instead, security firms say attempted intrusions against exchanges, decentralised finance protocols and crypto-focused venture funds have increased in frequency and sophistication. Analysts describe a shift from opportunistic phishing to carefully staged supply-chain compromises and social engineering campaigns targeting developers and compliance teams.

The Bybit breach remains a reference point for the scale and precision of state-linked cybercrime. According to people familiar with the forensic findings, attackers gained privileged access through a compromised administrative account, then moved funds through complex chains of wallets and mixing services to obscure the origin. Portions of the stolen assets were traced through decentralised exchanges and cross-chain bridges before being consolidated.

North Korea has consistently denied involvement in cyber theft. However, the United States Treasury and other authorities have previously sanctioned individuals and entities linked to what they say are DPRK-run hacking units. Officials in Washington and Seoul have argued that digital asset theft has become a critical source of hard currency for Pyongyang amid international sanctions.

Data compiled by blockchain analytics firms show that groups attributed to North Korea were responsible for a substantial share of global crypto theft in 2023 and 2024, with total haul figures running into billions of dollars. While overall crypto-related hacks fluctuate from year to year, experts note that DPRK-linked actors stand out for their persistence and strategic targeting of large liquidity pools.

Security researchers say the tactics deployed after the Bybit incident demonstrate organisational discipline. Rather than focusing solely on exchanges, attackers have increasingly targeted infrastructure providers, code repositories and cloud services used by multiple crypto projects. Compromised software updates and malicious code injected into developer tools have created cascading vulnerabilities.

“There has been a clear evolution in tradecraft,” said one senior analyst at a European cybersecurity firm who has tracked North Korean operations for more than a decade. “These are not smash-and-grab operations. They involve reconnaissance, patience and an understanding of how compliance and security controls work within crypto companies.”

Dubai’s authorities tightened oversight of virtual asset service providers following the Bybit breach, with the Virtual Assets Regulatory Authority emphasising stricter governance and incident reporting requirements. Industry participants say exchanges have since increased investment in cold storage solutions, multi-signature wallets and continuous monitoring systems. Insurance premiums for digital asset custodians have also risen, reflecting the perceived risk.

Despite these measures, the decentralised nature of many crypto platforms presents enforcement challenges. Decentralised finance protocols, often governed by token holders rather than central management, can be slower to implement uniform security standards. Cross-border jurisdictional complexities further complicate asset recovery efforts once funds are dispersed across global networks.

International co-operation has intensified. Law enforcement agencies in the United States, South Korea and several European states have formed joint task forces focused on tracing and seizing illicit digital assets. Previous operations have succeeded in freezing portions of stolen funds by working with compliant exchanges and blockchain analytics companies. Yet recovery rates remain limited compared with the total sums stolen.

The broader geopolitical context shapes the stakes. United Nations panels monitoring sanctions have previously reported that cyber operations linked to Pyongyang are designed to circumvent restrictions on trade and finance. Governments argue that proceeds from crypto theft may support missile development and other prohibited activities, though precise allocations are difficult to verify.

Market participants warn that persistent large-scale thefts risk undermining confidence in digital assets at a time when the sector is seeking broader institutional acceptance. Several major asset managers have launched crypto-linked investment products, and regulatory frameworks in jurisdictions including the European Union have sought to bring greater clarity to the industry. High-profile breaches complicate those efforts.

At the same time, some experts caution against over-attributing every major crypto hack to a single actor. Attribution in cyberspace relies on technical indicators, behavioural patterns and intelligence assessments that can be contested. “We must separate confirmed evidence from assumption,” said a former government cyber official. “That said, there is a consistent pattern linking a number of large thefts to networks operating from North Korea.”