How North Korea Stole $6.75 Billion in Cryptocurrency

$6.75 billion in four years

Between 2022 and 2025, North Korea's Lazarus Group and affiliated threat actors stole approximately $6.75 billion in cryptocurrency through a combination of exchange hacks, DeFi protocol exploits, social engineering campaigns targeting developers, and supply chain attacks against crypto infrastructure [1].

In 2025 alone, Lazarus Group accounted for $2.02 billion in cryptocurrency theft, representing approximately 60% of all global crypto losses to hacking that year [2]. This makes the Democratic People's Republic of Korea the single most prolific crypto thief on the planet, outpacing every other nation-state actor and criminal group combined.

The money funds North Korea's ballistic missile and nuclear weapons programs. According to the United Nations Panel of Experts, cryptocurrency theft has become the single largest source of foreign currency for the regime, exceeding revenue from coal exports, weapons sales, and overseas labor combined [3].

The Bybit hack: $1.5 billion in a single attack

The largest single cryptocurrency theft in history occurred on February 21, 2025, when Lazarus Group drained approximately $1.5 billion in Ethereum from the Bybit exchange [4].

The attack was not a smart contract exploit or a flash loan attack. It was a targeted compromise of a human being.

The attack chain

Step 1: Identifying the target. Lazarus Group identified a software developer at Safe (formerly Gnosis Safe), the multisignature wallet provider used by Bybit to secure its cold storage. Safe's multisig wallets are used by many major crypto institutions because they require multiple authorized signers to approve transactions.

Step 2: Compromising the developer's laptop. The attacker gained access to the Safe developer's personal laptop through a social engineering campaign. The exact vector has not been publicly confirmed, but Lazarus Group's standard playbook includes fake job offers sent via LinkedIn (with malicious PDFs or npm packages as "coding challenges"), trojanized open-source tools, and targeted phishing through professional communities [5].

Step 3: Planting dormant code. Once inside the developer's environment, the attacker modified code in Safe's web interface. The modification was subtle: it altered the transaction display logic so that when Bybit's authorized signers reviewed and approved a transaction, the interface showed them a legitimate-looking transaction while the actual transaction submitted to the blockchain was different.

Step 4: Waiting. The malicious code sat dormant for several weeks, passing through code reviews and deployments without detection. Lazarus Group is known for extreme patience in this regard; they will wait weeks or months after gaining access before executing an attack.

Step 5: Execution. When Bybit initiated a routine transfer from its cold storage multisig wallet, the authorized signers reviewed the transaction details on the Safe interface. Everything appeared normal. They signed the transaction. But the transaction that was actually submitted to the Ethereum network transferred $1.5 billion in ETH to addresses controlled by Lazarus Group [6].

The attack exploited the fundamental trust assumption of multisig wallets: that the interface showing the transaction details is accurate. By compromising the interface itself, the attacker bypassed the security of the multisig scheme entirely. The signers did exactly what they were supposed to do. They were just shown the wrong information.

The laundering machine

Stealing cryptocurrency is only half the challenge. Converting it to usable funds without being caught is the other half. Lazarus Group has developed the most sophisticated cryptocurrency laundering operation in the world [7].

Phase 1: Immediate dispersion (hours 0 to 24)

Within minutes of the theft, automated scripts split the stolen funds across hundreds of addresses. The funds are then bridged across multiple blockchains using decentralized cross-chain bridges (Thorchain, Chainflip, others). This makes tracking exponentially harder because investigators must follow the trail across multiple independent blockchains.

In the Bybit case, the $1.5 billion in ETH was:

• Split across approximately 50 wallets within the first hour
• Bridged to Bitcoin, Solana, and other chains within 24 hours
• Passed through multiple decentralized exchanges (DEXs) to swap between tokens

Phase 2: Mixing and obfuscation (days 1 to 14)

The funds are then processed through:

• Bitcoin mixers. Services that combine multiple users' transactions to break the chain of ownership. Despite Tornado Cash sanctions and the conviction of its developer (discussed below), alternative mixing services continue to operate
• Chain-hopping. Repeatedly bridging funds between blockchains, converting BTC to XMR (Monero, a privacy coin) and back, using privacy features on chains like Zcash
• DeFi protocol layering. Depositing into lending protocols, borrowing against the collateral, and withdrawing the borrowed funds. This creates a legitimate-looking DeFi transaction trail

Phase 3: Conversion to fiat (days 14 to 60)

The final stage converts crypto to usable currency:

• Over-the-counter (OTC) brokers in jurisdictions with weak KYC enforcement (particularly in China and Southeast Asia) convert large amounts of crypto to cash for a 3% to 8% commission
• UnionPay cards. Funds are loaded onto Chinese UnionPay prepaid cards that can be used for purchases or ATM withdrawals worldwide. This has been documented by the FBI as a primary Lazarus cash-out method [8]
• Shell companies. Crypto is used to purchase goods (electronics, luxury items) through shell companies, which are then resold for cash
• Real estate. In some cases, crypto has been used to purchase property through intermediaries in jurisdictions where real estate transactions are poorly monitored

The Bybit laundering timeline

According to blockchain analysis firm Elliptic, within one month of the Bybit hack [9]:

• 86% of the stolen ETH had been converted to Bitcoin (approximately 489,000 BTC worth)
• The Bitcoin was distributed across thousands of addresses
• An estimated 20% had already been cashed out through OTC brokers
• The remaining funds were in various stages of the mixing and bridging process

The Tornado Cash conviction

In May 2024, Alexey Pertsev, one of the developers of Tornado Cash (a decentralized Ethereum mixing protocol), was convicted by a Dutch court of money laundering and sentenced to over five years in prison [10]. The prosecution argued that Tornado Cash was designed and operated to facilitate the laundering of criminal proceeds, including funds stolen by Lazarus Group.

The conviction was controversial in the crypto community because Tornado Cash is an open-source smart contract deployed on a permissionless blockchain. Pertsev did not operate it in the traditional sense; once deployed, the smart contract runs autonomously. The conviction effectively established that developers of privacy tools can be held liable for how others use those tools.

The US Treasury's Office of Foreign Assets Control (OFAC) had previously sanctioned Tornado Cash in August 2022, making it illegal for US persons to interact with the protocol. This was the first time OFAC sanctioned a smart contract rather than a person or entity.

Despite the sanctions and criminal prosecution, Tornado Cash continues to operate because it is a smart contract that cannot be shut down by any single party. However, the sanctions have reduced its usage significantly, as major exchanges and wallets now flag and freeze funds that have passed through Tornado Cash addresses.

The nuclear weapons connection

The scale of North Korea's crypto theft operation is directly tied to its weapons program. The UN Panel of Experts documented that [3]:

• Cryptocurrency theft proceeds have been traced to accounts associated with the Korean People's Army General Bureau of Reconnaissance (RGB), the intelligence agency that oversees both cyber operations and weapons procurement
• Funds from crypto theft have been used to purchase components for North Korea's ballistic missile program, including specialized alloys, guidance systems components, and rocket fuel precursors
• The acceleration of North Korea's missile testing program (over 100 missile launches since 2022) correlates with the acceleration of cryptocurrency theft revenue
• North Korea's IT worker fraud program (thousands of North Korean programmers working remotely for Western companies under false identities) provides both additional revenue and potential access to corporate systems

The FBI, NSA, and CISA issued a joint advisory in 2025 stating that "the DPRK's cyber program poses a significant threat to the integrity of the international financial system and directly funds weapons of mass destruction proliferation" [11].

The $2.02 billion year: 2025 in detail

Lazarus Group's $2.02 billion in 2025 crypto theft came from multiple operations [2]:

| Target | Amount | Method |

|--------|--------|--------|

| Bybit | $1.5B | Supply chain (Safe developer compromise) |

| Multiple DeFi protocols | $280M+ | Smart contract exploits and flash loan attacks |

| Individual whales | $150M+ | Social engineering, fake job offers, trojanized tools |

| Smaller exchanges | $90M+ | Various (compromised hot wallets, insider access) |

The 60% share of global crypto theft stands out for both its size and its concentration. A single threat actor, operating from one of the most isolated and sanctioned countries on earth, steals more cryptocurrency than every other hacker, criminal group, and nation-state combined.

How they keep getting away with it

Several factors enable Lazarus Group's continued success [12]:

Talent pipeline. North Korea's government identifies mathematically gifted children at a young age and funnels them into specialized education programs focused on computer science, cryptography, and hacking. Graduates are assigned to units within the RGB's cyber warfare bureau. Estimates suggest 6,000 to 7,000 trained cyber operators work for North Korean intelligence.

No legal consequences. Lazarus Group operators will never face arrest in North Korea. International warrants are meaningless when the perpetrators are state employees of a nuclear-armed country that does not extradite.

Operational patience. As the Bybit hack demonstrated, Lazarus Group will spend weeks or months in a compromised environment before acting. This patience allows them to understand the target's operations deeply before executing.

Technical sophistication. Lazarus Group develops custom malware, zero-day exploits, and novel social engineering techniques. Their tooling is regularly updated and adapted to evade detection.

Crypto ecosystem fragility. Despite billions of dollars in value, many crypto projects are maintained by small teams, use immature security practices, and rely on complex smart contract interactions that create large attack surfaces.

What the crypto industry should do

The Lazarus Group threat is existential for the cryptocurrency industry. If a single nation-state can steal 60% of all global losses, the industry's security model is broken at the foundation.

Multi-party computation (MPC) for signing. Multisig wallets that depend on a web interface for transaction display are vulnerable to interface manipulation. MPC signing with independent transaction verification on multiple devices eliminates the single point of failure exploited in the Bybit hack.

Hardware wallet verification. Every transaction should be independently verified on a hardware device that shows the actual transaction parameters. If the signers in the Bybit hack had verified the destination address on a Ledger or Trezor rather than trusting the Safe web interface, the attack would have failed.

Developer security programs. Crypto projects need dedicated security teams that monitor developer environments, enforce hardware security keys for code signing, and implement anomaly detection on code changes. The fact that a compromised developer laptop led to a $1.5 billion loss indicates inadequate developer security practices.

Blockchain analytics integration. Exchanges and DeFi protocols should integrate with blockchain analytics providers (Chainalysis, Elliptic, TRM Labs) to flag and freeze funds associated with known Lazarus Group addresses in real time.

Industry-wide threat intelligence sharing. Lazarus Group reuses TTPs (tactics, techniques, and procedures) across attacks. Faster sharing of indicators of compromise across the industry could prevent subsequent attacks after an initial compromise is detected.

The $6.75 billion stolen by North Korea over four years is more than a financial loss. It is a direct subsidy of nuclear weapons proliferation, funded by the cryptocurrency industry's failure to secure itself against a known, persistent, and well-resourced adversary.

Sources

1. Chainalysis, "The 2025 Crypto Crime Report: Cryptocurrency Theft and North Korea," 2025
2. TRM Labs, "2025 Year in Review: DPRK Cryptocurrency Theft," January 2026
3. United Nations, "Report of the Panel of Experts Established Pursuant to Resolution 1874 (2009)," S/2025/periodic, 2025
4. Bybit, "Incident Report: February 21, 2025 Security Breach," March 2025
5. FBI/CISA/NSA, "TraderTraitor: North Korean State-Sponsored APT Targeting Blockchain Companies," Joint Cybersecurity Advisory, updated 2025
6. Elliptic, "Technical Analysis of the Bybit Hack," March 2025
7. Chainalysis, "How North Korea Launders Stolen Cryptocurrency," 2025
8. FBI, "North Korean Cryptocurrency Laundering and Cash-Out Methods," IC3 Advisory, 2024
9. Elliptic, "Following the Bybit Funds: A Blockchain Analysis," April 2025
10. Dutch Public Prosecution Service, "Verdict in Tornado Cash Developer Case," May 2024
11. FBI/NSA/CISA, "Joint Advisory on DPRK Cyber Threats to the Financial Sector," 2025
12. Recorded Future, "North Korea's Cyber Army: Structure, Capabilities, and Operations," Insikt Group, 2025