North Korean Cyber Attacks Drive Crypto Theft Up 51% in 2025: New Data

State-sponsored hackers from North Korea increased cryptocurrency theft by 51% compared to the previous year, even as the total number of attacks declined.

State-sponsored cybercriminals and hackers from North Korea (DPRK) accounted for over $2 billion in cryptocurrency theft throughout 2025, marking a 51% increase compared to the previous year, even though the total number of attacks decreased, based on findings from cybersecurity firm CrowdStrike.

According to the company's 2026 Financial Services Threat Landscape report, hackers linked to the DPRK pose the "largest" danger to cryptocurrency users when measured by the total value of digital assets that have been stolen. Crowdstrike further stated:

"Stolen proceeds are almost certainly laundered to fund the regime's military programs. Compared to 2024, DPRK-nexus adversaries conducted fewer campaigns but achieved significantly higher returns by prioritizing high-value targets."

According to CrowdStrike, DPRK cybercriminals and hackers concentrated their efforts on Web3 projects and digital currency exchanges due to the fact that stolen assets could be "cashed out" and moved with enhanced anonymity compared to conventional financial infrastructure.

Map showing countries most targeted by DPRK hackers — Countries most frequently targeted by North Korean state-affiliated hackers. Source: CrowdStrike

The findings underscore the escalating danger posed by state-sponsored hacking operations that target both cryptocurrency users and companies within the industry using cybersecurity exploits and social engineering schemes aimed at obtaining funds and confidential data.

DPRK-affiliated hackers penetrate cryptocurrency projects through digital and physical means

Last April, the Ethereum Foundation, which manages the development of the Ethereum network, discovered 100 hackers and malicious actors backed by the DPRK who had successfully penetrated various cryptocurrency projects.

These malicious actors usually operate as remote workers; nevertheless, in April 2025, the decentralized cryptocurrency exchange Drift Protocol was successfully infiltrated and breached by technology workers affiliated with the DPRK, who actually met face-to-face with the Drift Protocol development team.

According to the Drift Protocol team, their initial encounter with these threat actors occurred at a "major" industry conference for cryptocurrency, and they subsequently developed a professional relationship spanning six months.

Drift Protocol statement — Source: Drift Protocol

Throughout the course of their collaboration, the cybercriminals installed malicious software, which successfully compromised the computer systems of Drift Protocol developers and resulted in $280 million in financial losses.

"It is important to note that the individuals who appeared in person were not North Korean nationals," the Drift team said, adding, "DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building."

In that same month, blockchain investigator ZachXBT also revealed a network of North Korean information technology (IT) workers who were generating $1 million per month through employment at various technology companies.