In 2025, threat actors linked to North Korea have been responsible for an alarming wave of cryptocurrency thefts totaling at least $2.02 billion out of a global total of over $3.4 billion stolen this year. This 51% increase compared to the previous year, in which $1.3 billion was stolen, according to Chainalysis’s report on cryptocurrency-related crime, marks the highest recorded level of thefts related to North Korea.
Cryptocurrency
The most significant attack occurred in February when the cryptocurrency exchange Bybit suffered a breach that resulted in the loss of $1.5 billion. This compromise has been attributed to a threat group known as TraderTraitor, and is related to a machine infected with the Lumma Stealer malware. This type of operation is part of a series of attacks carried out by the acclaimed state-sponsored hacking group from North Korea, the Lazarus Group, which has also conducted significant thefts from other exchanges, such as Upbit in South Korea, from which $36 million was stolen last month.
The infiltration methods used by these actors include adopting false identities to access companies and cryptocurrency services globally, employing a scheme known as Wagemole. This approach implies that North Korean actors act as IT workers, getting employed in legitimate organizations to facilitate their cyberattacks. Research indicates that the stolen funds are laundered through services in Chinese and specialized markets, demonstrating close collaboration with illicit actors in the Asia-Pacific region.
Recently, Minh Phuong Ngoc Vong, a 40-year-old man from Maryland, was sentenced to 15 months in prison for his involvement in this scheme, which allowed North Korean nationals to use his identity to obtain jobs in U.S. government agencies. Vong managed to obtain over $970,000 in wages, while the conspirators worked remotely, facilitating the operation of the Lazarus Group.