Crypto firm Paradigm warns in a report titled “Demystifying the North Korean Threat” that North Korean cyberwarfare attacks on the cryptocurrency industry are growing in sophistication, and the number of groups involved in such criminal activity is increasing.
Over the years, North Korea has been tied to high-profile cyberattacks on cryptocurrency exchanges, with stolen money believed to be used to finance the country’s military and nuclear programs.
The United Nations estimated North Korea stole about $3 billion in crypto hacks from 2017 to 2023. However, in just 2024 and 2025 alone, they have already plundered a record $1.7 billion from two of the largest exchanges, WazirX and Bybit.
Hackers use fake job offers to steal crypto, putting millions of users at risk
There are several factions of North Korean hackers, each specializing in different kinds of cyberattacks. The most infamous one is the Lazarus Group, which has a history of targeting financial institutions and digital asset exchanges.
Other groups, such as AppleJeus, Dangerous Password, and Spinout, use different methods (e.g., phishing attacks, fake job offers, malware masquerading as genuine software).
The most shocking attack to date took place in February 2025, when crypto exchange Bybit was hacked for $1.5 billion — the largest cryptocurrency hack to date. While it was first considered to be a phishing scheme, an in-depth investigation revealed that the exploit was based on a much more advanced strategy.
The hackers, from North Korea’s Reconnaissance General Bureau, had stealthily compromised Safe{Wallet}, a digital wallet system used by many Bybit users, rather than launching an attack directly against the exchange. They infiltrated a backdoor into the software, letting them siphon cash without immediately being noticed.
This method was far more sophisticated. Rather than targeting exchanges, it targeted the infrastructure supporting crypto exchanges.
Once they steal the cryptocurrency, the hackers launder it and evade detection using off-the-shelf, well-established techniques. They first divide the loot into smaller amounts, pass them through hundreds of digital wallets, and eventually turn them into Bitcoin (BTC).
This tactic makes it harder for authorities to trace the money. According to the security firm Chainalysis, Lazarus Group tends to hold stolen money for months, years, and even before spending it, maximizing its chances of avoiding detection.
The FBI has identified three alleged members of the Lazarus Group and accused them of cybercrimes. In February 2021, the US Justice Department indicted two of those members for involvement in global cybercrimes. Yet, despite such efforts, North Korean hackers and cybercriminals have continued to adapt and find new methods for interfering with financial systems.