This year, North Korean cybercriminals stole a record-breaking $2 billion in cryptocurrency assets, marking the highest annual total on record. This new figure brings the total confirmed amount stolen by these threat actors to more than $6 billion. According to the United Nations and various government agencies, these significant funds are directly used to support North Korea’s nuclear weapons program. Blockchain experts at Elliptic confirm that this $2 billion total is almost triple the amount stolen in 2024 and far exceeds the previous record of $1.35 billion from 2022, which was largely due to major attacks on the Ronin Network and Harmony Bridge.
The largest portion of this year’s record-breaking total is attributed to the Bybit hack in February, where North Korean actors stole $1.46 billion. Throughout the year, Elliptic was able to attribute 30 separate crypto heists to North Korean hackers. These attributions were made through detailed blockchain analysis, analysis of laundering patterns, and other intelligence data. Other notable breaches this year include those on LND.fi, WOO X, Seedify, and the Taiwanese exchange BitoPro, where the Lazarus group stole an estimated $11 million. These figures, however, are considered conservative estimates, as many incidents go unreported and other attributions are low-confidence.
One of the key trends Elliptic identified this year is a significant shift in the hackers’ targets. Instead of solely exploiting technical flaws in decentralized finance (DeFi) infrastructure, they have begun focusing on individuals who hold large amounts of cryptocurrency or who are employees of exchanges. The criminals target these individuals through social engineering attacks, a method that appears to have replaced the previous strategy of exploiting technical vulnerabilities. This change in approach highlights a more personalized and targeted strategy by the hackers.
In response to increased pressure from law enforcement agencies and blockchain analysis firms, the laundering strategies of North Korean threat actors have also evolved. They now employ more complex evasion tactics to hide their tracks. These tactics include multiple mixing and cross-chain transfers, using obscure blockchains, purchasing utility tokens, and even exploiting refund addresses. In some cases, they are using custom tokens issued by laundering networks to make tracing the funds more difficult.
Despite these advanced evasion tactics, Elliptic maintains that blockchain transparency continues to be a powerful tool for investigators. The inherent traceability of blockchain technology still makes it possible for them to follow the trail of illicit funds, especially in high-profile cases of financial theft. This ongoing cat-and-mouse game between hackers and investigators underscores the constant need for improved security measures and sophisticated tracking tools in the cryptocurrency space.
Reference:
