North Korean Hackers Stole $2 Billion in Crypto in 2025

• DPRK hackers stole $2 billion in crypto in 2025, a 51% rise despite fewer attacks.
• Attackers shifted from volume campaigns to precision strikes on high-value exchanges.
• Ethereum Foundation identified 100 DPRK actors infiltrated inside crypto hiring pipelines.

North Korean state-linked hackers stole over $2 billion in cryptocurrency during 2025, a 51% jump from the previous year, according to a new threat report from cybersecurity firm CrowdStrike. The most striking detail is not the dollar figure itself but how the figure was reached.

The number of attacks went down, and the success rate per attack went up dramatically. DPRK-affiliated groups have shifted from running high-volume campaigns to running fewer, more carefully targeted operations against high-value exchanges and Web3 protocols. 

Why Crypto Is the Target

CrowdStrike’s analysis is direct about why the cryptocurrency sector specifically attracts North Korean state actors. Stolen funds can be cashed out and moved with significantly greater anonymity than equivalent thefts from traditional banking systems. The proceeds are almost certainly being laundered to fund the country’s military programs.

The financial services sector is now the fourth most targeted industry globally for cyber attacks, according to the same report. Within that category, crypto exchanges and Web3 infrastructure carry the highest combination of liquidity and exit liquidity, making them the most efficient targets for state actors operating at scale.

The Infiltration Has Gone Inside the Hiring Pipeline

The most concerning evolution in the report is how attackers are gaining access to crypto projects in the first place. Traditional perimeter security is not the failure point anymore. The hiring pipeline is.

In April 2025, the Ethereum Foundation identified 100 DPRK-backed individuals who had infiltrated crypto projects directly, typically as remote hires embedded in developer teams. The Drift Protocol case is the most striking example. DPRK-affiliated technology workers met the Drift Protocol team at a major cryptocurrency industry conference and built a six-month working relationship before the compromise was identified.

Onchain investigator ZachXBT has tracked similar infiltration patterns across multiple firms, suggesting the Drift incident was not isolated but part of a coordinated strategy.

How the Operation Has Evolved

CrowdStrike describes the operational structure as having matured significantly. DPRK-linked groups now operate through distributed contractors and intermediary networks specifically tied to the crypto sector. This decentralized approach increases resilience and allows faster adaptation to platform security upgrades.

The reliance on remote contributors, open development environments, and global outsourcing in Web3 has become a structural vulnerability. Every remote developer is a potential entry point. Every contractor onboarding is a potential compromise.

What the Industry Is Doing About It

Security teams across major crypto platforms are increasing monitoring and verification measures throughout onboarding and code contribution processes. Background checks are being deepened. Identity verification is being layered. Code commits from new contributors are being audited more aggressively.

The challenge is that DPRK actors continue to adapt their techniques in parallel. As security teams tighten the hiring pipeline, threat actors refine their cover stories, professional networks, and social engineering tactics to bypass the new controls.

Related: CertiK Report Shows North Korean Hackers Stole $1.1B in Crypto in 2026