State-sponsored hackers from North Korea have stolen a record-breaking $2.02 billion in cryptocurrency throughout 2025, bringing the regime’s lifetime illicit haul to over $6.75 billion. A new report from blockchain intelligence firm Chainalysis confirms the 51% year-over-year surge was largely fueled by a single catastrophic event: the $1.5 billion compromise of the Bybit exchange in February.
The Bybit Vector
The numbers are staggering. In February, attackers attributed to the Lazarus Group exploited a supply chain vulnerability to drain 401,000 ETH from Bybit’s cold storage. The vector was precise. Hackers compromised a workstation belonging to a developer at Safe{Wallet}, a third-party multisig provider, and injected malicious JavaScript into the transaction signing interface.
Bybit is solvent even if this hack loss is not recovered; all client assets are 1-to-1 backed, Ben Zhou, Bybit CEO (February 2025)
Despite Zhou’s assurance of a $20 billion asset cushion, the breach exposed a critical fragility in institutional custody: even offline “cold” wallets rely on warm infrastructure for transfers.
Tactical Shift: From Grunts to Executives
Chainalysis notes a disturbing evolution in the DPRK’s playbook. While the “Wagemole” strategy, embedding North Korean IT workers into crypto projects to siphon funds, remains active, 2025 saw a pivot toward high-value social engineering. Attackers are no longer just applying for jobs; they are targeting executives with sophisticated impersonation tactics to gain root access.
The stolen capital continues to serve a singular purpose. International investigators estimate these funds finance over 50% of Pyongyang’s ballistic missile and nuclear weapons programs.
