Blockchain analytics firm Elliptic published a landmark report on October 7, 2025, revealing that North Korean state-sponsored hackers have stolen more than $2 billion in cryptocurrency so far this year — the largest annual total on record, with three months still remaining. The figure represents a dramatic escalation from the previous record of $1.35 billion set in 2022 and pushes the regime’s total stolen crypto since 2017 past $6 billion.
The Exploit Mechanics
What makes the 2025 campaign particularly alarming is the shift in tactics. According to Elliptic, the majority of hacks this year have been perpetrated through social engineering attacks, where hackers deceive or manipulate individuals to gain access to cryptocurrency holdings. This represents a fundamental pivot from earlier campaigns where technical flaws in crypto infrastructure were exploited to steal funds. The largest single incident — the $1.4 billion theft from exchange Bybit in February 2025 — was attributed to North Korea by the FBI and multiple blockchain monitoring firms. Other high-profile victims include Axie Infinity, which lost $625 million in 2022, Harmony at $100 million the same year, and WazirX with $235 million stolen in 2024. North Korea’s main targets remain cryptocurrency exchanges, but Elliptic notes a growing focus on high-net-worth individuals who hold substantial crypto portfolios.
Affected Systems
The social engineering campaigns leverage sophisticated impersonation tactics, including fake job recruitment schemes — a method previously documented by the governments of Japan, South Korea, and the United States, which jointly accused North Korean hackers of stealing more than $659 million through similar approaches in 2024. The attackers create elaborate fake identities, complete with fabricated employment histories at legitimate tech companies, to infiltrate target organizations. Once inside, they deploy malicious code or manipulate transaction approvals. The United Nations Security Council believes the stolen funds are used to finance North Korea’s nuclear weapons program, making these attacks not just financial crimes but matters of international security.
The Mitigation Strategy
Elliptic emphasizes that “the weak point in cryptocurrency security is increasingly human, rather than technical.” This assessment calls for a fundamental rethinking of security protocols across the industry. Organizations should implement multi-layer verification for all transaction approvals, conduct regular social engineering awareness training, and establish strict protocols for onboarding remote workers with access to sensitive systems. Multi-signature wallets with hardware key requirements can add friction that prevents single-point-of-failure social engineering attacks. Exchange operators should consider behavioral analysis systems that flag unusual transaction patterns before execution.
Lessons Learned
The $2 billion milestone underscores several critical lessons. First, attribution remains challenging — Elliptic acknowledges awareness of many thefts that share hallmarks of North Korean activity but lack sufficient evidence for definitive attribution, and other thefts likely remain unreported. Second, the shift toward social engineering means that even organizations with robust technical security remain vulnerable if their personnel can be manipulated. Third, the sheer scale of theft — $6 billion since 2017 — demonstrates that current defensive measures across the industry remain inadequate to address a state-sponsored adversary of this sophistication.
User Action Required
Individual crypto holders should verify all communications through independent channels, never approve transactions under time pressure, use hardware wallets for significant holdings, and enable all available security features on exchange accounts. With Bitcoin trading at approximately $121,450 and Ethereum near $4,450 on this date, the total value at risk across the crypto ecosystem has never been higher, making personal vigilance more critical than ever. The threat landscape has evolved — and so must every participant’s approach to security.
This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security decisions.
Formal verification should be mandatory for high-value protocols
mempool_watch formal verification helps but it wont stop fake job recruitment schemes. the defense needs to be organizational not just technical
Bug bounties are the most cost-effective security investment
Hardware wallet adoption is the single biggest security improvement anyone can make
$6B total stolen since 2017 and 2025 alone accounts for $2B. the pace is accelerating not slowing down
the shift from technical exploits to social engineering is the real story. $1.4B from Bybit through deception not code vulnerabilities. humans are the weakest link and always will be
Bybit losing $1.4B through deception not code. the hardest technical problems in crypto arent technical at all
the fake job recruitment angle is terrifying because it works on technical staff. your dev gets hired for a fake position and the malware is already in your build pipeline