This year, state-sponsored hackers with ties to the North Korean government have stolen a staggering $2 billion worth of cryptocurrency, making 2025 the most profitable year on record for the regime’s well-known cybercrime operations. Accordingly, to a new report published by the blockchain analytics firm Elliptic, this figure, which has already eclipsed all previous annual totals with three months remaining in the year, is unprecedented. The report also notes that the tactics of hackers, such as the infamous Lazarus Group, are evolving, now commonly using psychological manipulation and deception to steal from exchanges and drain the accounts of gullible investors. This haul of funds is believed to be an important funding source for North Korea’s ambitious military programs, which are subject to international sanctions.
A Tactical Shift: From Exploiting Code to Hacking Humans
The most concerning discovery in Elliptic’s report is a significant change in the hackers’ approach. Historically, North Korean units involved in cyber operations have garnered attention for exploiting difficult software vulnerabilities. Their recent success has been largely from social engineering.
This approach leverages the human factor, which more often than not is the weakest link in any security chain. Instead of just trying to break through digital defenses, the hackers are now masterfully manipulating people. Through sophisticated phishing scams, fake job offers, and impersonating colleagues or industry figures, they deceive victims into voluntarily granting access to their accounts or private keys.
The Expanding Target List: From Exchanges to Individuals
For years, the first choice of these sponsored cyber heists have been large exchanges of cryptocurrency, where are held large amounts of digital assets. While exchanges are still a major target of these hacks, Elliptic’s report shows the hackers are expanding to “high-net-worth individuals.” This marks a concerning escalation for the crypto community, which is now seeing rich investors, rich developers, and rich CEOS with large personal stakes come under direct attack. The targeting of individuals allows hackers to bypass corporate defenses and exploit human weakness rather than exploit corporate success.
The Soaring Scale of a State-Sponsored Heist Operation
The sheer scale of North Korea’s crypto theft is breathtaking. The $2 billion stolen in just over nine months of 2025 eclipses the previous record of $1.35 billion, which was set for the entire year of 2022. Since 2017, it’s estimated that the regime has illicitly amassed at least $6 billion in digital assets.
Furthermore, Elliptic cautions that its $2 billion estimate is likely a conservative one. “The actual figure may be even higher,” the report states, noting that definitively attributing every cyber theft is a complex process.
Funding a Fortress State: The Motive Behind the Thefts
These are not random acts of cybercrime; they are calculated operations of statecraft. It is well known that the stolen assets are a critical source of funding for the Kim Jong Un regime; enabling them to circumvent crippling global sanctions.
The record-setting year of theft is happening at the same time as the North Korean leader’s recent introduction of a new defense doctrine, centered around the aggressive build-up of both nuclear and conventional military capabilities. It is believed that the billions of dollars drained from the crypto ecosystem to fund these weapons programs, and thus every hack is an issue of international security.
An Evolving and Persistent Threat
The most recent reports indicate that North Korea’s hacking units have developed into one of the most sophisticated, persistent forms of cyber threat in the world. The flexibility to shift strategies and the near relentless pursuit of funds make them a serious threat to the entire digital asset sector. As long as the regime stays insulated and its military ambitions become more expansive, it is likely that its digital army will carry on with its asymmetric war on the crypto economy.
