North Korean hackers were behind the vast majority of crypto-targeted security breaches in 2025, and the threat is only expected to amplify in the years ahead, according to Chainalysis’s head of national security intelligence, Andrew Fierman.

“North Korea will always seek new vectors to steal funds on behalf of the regime, whether through fiat or crypto,” Fierman told crypto media, adding that “their mechanisms are forever evolving, and are highly sophisticated, diversified, and deeply embedded across jurisdictions.”

As previously reported by Invezz, North Korean hackers were behind the lion’s share of attacks that hit the cryptocurrency space in 2025.

Throughout the year, state-backed cyber groups were responsible for 76% of service-level compromises across exchanges and custodians, successfully stealing at least $2.02 billion worth of crypto assets.

The 2025 numbers marked a 51% year-on-year increase, despite a nearly 74% decrease in the total number of confirmed incidents, highlighting a strategic shift toward fewer but significantly larger incidents.

Interestingly, just three incidents alone were responsible for 69% of total service-level losses, which goes to show that notorious hacking outfits like the Lazarus Group and the affiliated UNC5342 are now focused almost entirely on breaching large infrastructure targets that promise bigger and faster payouts.

For the crypto industry, this translates to significantly larger financial losses that can potentially disrupt entire ecosystems and wipe out the funds of vast numbers of investors across the globe.

One of the biggest incidents of the year involving North Korean groups was the $1.5 billion Bybit hack that shook the industry back in late February.

Over 400,000 ETH was stolen in the breach, leading to the largest digital asset heist in the history of the crypto industry.

Several other incidents followed, including the $223 million theft from the decentralized exchange Cetus, and a $128 million exploit targeting the Ethereum-based protocol Balancer.

Additional confirmed breaches at WOO X, Seedify, and LND.fi only added to the staggering figures that made 2025 the most successful year to date for North Korean hackers.

Over the past several months, North Korean actors have been found to be using a variety of attack vectors to breach targets. 

For instance, back in October, they were found to be embedding malware within Ethereum and BNB Chain smart contracts as part of a stealth campaign now linked to the state-backed group UNC5342.

Across the globe, major economies like the United States, South Korea, Australia, and members of the European Union have rolled out targeted sanctions against North Korea’s cybercrime infrastructure in a bid to curb its illegal revenue generation. 

But that alone may not be enough, according to Andrew Fierman, who noted that disrupting North Korea’s operations requires coordinated action across the entire industry, including exchanges, infrastructure providers, analytics firms, and law enforcement agencies.

Fierman warned that the regime is expected to continue to rely on crypto theft as a primary revenue stream, especially as international sanctions tighten and other income channels shrink.

Once the funds are stolen, the process by which they are laundered further compounds the problem, making recovery efforts extremely difficult and transforming the threat into a persistent and systemic risk for the broader crypto ecosystem.

“Stolen funds follow diverse laundering paths, including mixing services, OTC brokers, chain-hopping, token swaps, decentralised exchanges, and bridge protocols to obscure flows,” Fierman said.

Some of the techniques used by North Korean groups include the so-called Chinese laundromat network, which comprises over-the-counter brokers, underground banking channels, and cross-border money transmitters based largely in China and Southeast Asia.

On the technical side, they rely on complex cross-chain bridge routes and a rotation of mixing services to fragment the stolen assets across blockchains. These are often withdrawn through loosely regulated Chinese-language platforms with weak KYC requirements.

Although North Korea’s cyber attacks also target areas beyond the crypto sector, the crypto industry remains an especially attractive target, mainly due to its liquidity, global accessibility, and fragmented oversight.

Last month, during the Devconnect conference in Buenos Aires, web3 audit firm Opsek’s founder Pablo Sabbatella warned that roughly 30% to 40% of applicants flooding into crypto jobs may be North Korean attempts to gain insider access through fake identities.

The post Crypto theft will remain a core funding strategy for North Korea, expert warns appeared first on Invezz

2 +