Amazon has blocked more than 1,800 suspected North Korean IT workers attempting to infiltrate remote positions since April 2024, as blockchain analysis firm Chainalysis reports that state-sponsored hackers from the Democratic People’s Republic of Korea have stolen over $2 billion in cryptocurrency during 2025 alone. The twin threats — insider infiltration and outright theft — represent an unprecedented convergence of nation-state cyber operations targeting the digital asset industry.
The Exploit Mechanics
According to the Chainalysis report published on December 19, 2025, a total of $3.41 billion in cryptocurrency was stolen by all hackers between January and early December 2025. North Korean threat actors accounted for at least $2.02 billion of that total, with the $1.5 billion Bybit heist representing the single largest contribution to this figure. This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with North Korean attacks accounting for a record 76% of all service compromises.
The all-time total amount of cryptocurrency stolen by North Korean threat actors has now reached $6.75 billion, according to Chainalysis calculations. Despite the record-breaking amount stolen in 2025, the actual frequency of attacks conducted by North Korean hackers has decreased, with analysts noting that they likely reduced their operational tempo following the Bybit attack to focus on laundering the stolen cryptocurrency.
Affected Systems
North Korea’s operations now span two distinct attack vectors. The first involves direct cyber intrusions against cryptocurrency exchanges, custodians, and decentralized finance protocols. The second, and increasingly concerning, relies on planting IT workers inside target organizations.
Chainalysis reports that North Korean crypto theft operations increasingly depend on IT workers securing employment at cryptocurrency exchanges, custodians, and Web3 companies, where they serve as insiders. These workers collect salaries while simultaneously exfiltrating sensitive infrastructure details that enable later attacks. In parallel, North Korean threat actors pose as recruiters, orchestrating fake hiring processes to collect credentials, source code, and other valuable intelligence from job seekers. They also impersonate potential investors and acquirers to gather strategic information.
Amazon’s chief security officer, Stephen Schmidt, disclosed that the company identified more than 1,800 suspected North Koreans attempting to gain employment since April 2024, with a 27% quarter-over-quarter increase in attempts during 2025. Amazon employs an AI model that analyzes connections to nearly 200 high-risk institutions, anomalies across applications, and geographic inconsistencies to detect fraudulent applicants.
The Mitigation Strategy
With Bitcoin trading at approximately $88,100 and Ethereum near $2,978 on December 19, 2025, according to CoinMarketCap data, the sheer value locked in crypto markets makes them an irresistible target for sanctioned regimes. Organizations must adopt multi-layered security approaches.
Key mitigations include rigorous identity verification for all remote employees, particularly those in engineering and infrastructure roles. Background checks, credential verification, and structured behavioral analysis should become standard practice. Companies handling digital assets should implement strict access controls, hardware security modules for key management, and real-time monitoring for anomalous transactions.
Lessons Learned
The North Korean campaign reveals several critical lessons for the cryptocurrency industry. First, the human element remains the most exploitable vulnerability. Technical safeguards mean little when an adversary can simply get hired and walk through the front door. Second, the convergence of IT worker infiltration and direct hacking creates compounding risk — insiders can map security infrastructure while external operatives probe for weaknesses. Third, the $6.75 billion cumulative total stolen by North Korea demonstrates that these are not opportunistic attacks but a well-funded, strategically organized operation that sustains a nation’s economy.
User Action Required
Individual crypto users should take immediate steps to protect their assets. Use hardware wallets for long-term storage. Enable two-factor authentication on all exchange accounts. Never share seed phrases or private keys, regardless of who asks. Be wary of unsolicited job offers or investment inquiries, as these could be intelligence-gathering attempts by state actors. Monitor wallet activity regularly and consider using multi-signature wallets for large holdings. The threat from nation-state actors is not theoretical — it is active, well-funded, and growing.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals before making security decisions regarding your digital assets.
This is exactly the kind of development the space needs
The fundamental value proposition of crypto keeps getting stronger
Every cycle the infrastructure gets more robust
Interesting perspective — I hadn’t considered that angle before