North Korean hackers surge 51%! Stealing $2 billion annually, Chinese money laundering network exposed

Chainalysis latest report shows that in 2025, the total amount of stolen cryptocurrency worldwide is approximately $3.4 billion, of which at least $2.02 billion comes from North Korea-related attacks, a 51% increase (about $681 million) from 2024, setting a new record high. North Korean hackers account for 76% of all hacking incidents, with a total theft of at least $6.75 billion in crypto assets to date.

North Korean Hackers Dominate 76% of Global Crypto Theft

(Source: Chainalysis)

2025 has become the most severe year since North Korea launched cryptocurrency theft operations, with related attacks accounting for 76% of all hacking incidents, a historic high. This proportion is extremely alarming, meaning that 3 out of every 4 crypto theft cases worldwide are linked to North Korea. This dominance is not accidental but the result of long-term investment and technical accumulation by North Korea’s state-level cyber army.

The illegal proceeds of $2.02 billion hold strategic significance for North Korea. According to international estimates, North Korea’s annual GDP is about $20-30 billion, meaning the stolen funds amount to 6-10% of its GDP. After UN sanctions cut off most normal trade channels, cryptocurrency theft has become one of North Korea’s main sources of foreign exchange. These funds are used to support its nuclear weapons and ballistic missile programs.

The 51% annual growth rate indicates that North Korean hackers are rapidly enhancing their capabilities. This improvement is reflected not only in technical skills but also in the sophistication of attack strategies. From early crude phishing attacks to now multi-stage social engineering, supply chain infiltration, and insider implantation, North Korean hackers have developed a mature attack methodology.

2025 North Korea Hacker Attack Data

Total stolen amount: $2.02 billion, accounting for 76% of global crypto thefts, a 51% increase from 2024

Cumulative historical theft: $6.75 billion since 2017, averaging about $840 million per year

Largest single case: $1.5 billion from a major CEX exchange, accounting for 74% of North Korea’s total theft in 2025

Lazarus Group is widely believed to be closely linked to the Pyongyang Reconnaissance General Bureau (RGB). Between 2020 and 2023 alone, they conducted at least 25 crypto thefts, earning over $200 million in illicit gains. This organization has continuously targeted financial institutions and crypto platforms over the past decade and is suspected of involvement in the recent theft of about $36 million from South Korea’s largest crypto exchange, Upbit.

Centralized Exchange $1.5 Billion Incident and Dual-Path Penetration Strategy

The report shows that the hacking incident on a CEX exchange in February this year was North Korea’s largest single attack, causing about $1.5 billion in losses. The attack was attributed to a threat group called TraderTraitor, also known as Jade Sleet or Slow Pisces. Security firm Hudson Rock later pointed out that a computer infected with Lumma Stealer malware was linked to the infrastructure used in this attack.

The attack method on the CEX was highly sophisticated. Hackers did not directly attack the exchange’s cold wallet system but infiltrated staff through social engineering to gain internal system access. Once inside the network, they moved laterally to critical systems, ultimately gaining control of private key management. This attack chain involved multiple stages, each requiring high-level technical skill and patience.

In addition to direct hacking of exchanges, North Korean hackers have long conducted social engineering attacks called “Operation Dream Job.” They use platforms like LinkedIn and WhatsApp, impersonating recruiters, to contact professionals in defense, technology, aerospace, and manufacturing industries with high-paying job offers, enticing targets to download and execute malicious software, thereby stealing sensitive data or establishing long-term infiltration channels.

Another strategy is called “Wagemole.” North Korea-related personnel apply for overseas IT positions under false identities or infiltrate companies through shell subsidiaries to gain access to systems and encryption services, then launch high-impact attacks. Chainalysis notes that this method accelerates lateral movement and initial access before large-scale theft, which may be a key reason for the record-high losses this year.

The U.S. Department of Justice announced that a 40-year-old man in Maryland was sentenced for assisting North Korean personnel in impersonating identities to engage in IT work. Investigations revealed that the defendant allowed North Korean citizens residing in Shenyang, China, to use his identity to work for multiple U.S. companies and government agencies, earning nearly one million dollars between 2021 and 2024. This case reveals the operational model of the Wagemole campaign.

Three-Stage Fund Transfer in Chinese Money Laundering Networks

In terms of fund processing, stolen crypto assets are usually transferred through a structured multi-stage money laundering process. The report indicates that North Korean hackers extensively use Professional Chinese-Language Money Laundering Service and OTC (Over-the-Counter) trading, showing close ties to underground financial networks in Chinese-speaking regions.

The first stage occurs within days after the attack, rapidly diverting funds via decentralized finance protocols and mixers. The goal is to quickly sever the direct link between stolen funds and the original addresses. Hackers split large amounts into thousands of small transfers through mixers like Tornado Cash and multiple DeFi protocols, making tracking exponentially more difficult.

The second stage involves initial consolidation through exchanges, cross-chain bridges, and secondary mixers. Funds are transferred from Ethereum to BSC, Tron, and other chains, using the complexity of cross-chain bridges to further obfuscate tracking. Some funds flow into smaller exchanges with weaker KYC, converting into other cryptocurrencies or stablecoins.

Finally, within about 20 to 45 days, the funds are exchanged for fiat currency or other assets. This stage is the most critical and risky, as converting crypto into usable fiat requires interaction with traditional financial systems. North Korean hackers mainly rely on Chinese OTC traders and underground money changers, who provide large-scale crypto-to-fiat exchange services and transfer funds through complex banking networks to accounts controlled by North Korea.

The high connectivity of the “Chinese system” has raised concerns among U.S. law enforcement. It suggests that certain underground financial networks in Mainland China, Hong Kong, Taiwan, or Southeast Asian Chinese communities are providing key money laundering services for North Korea. The complexity of these transnational crime networks makes tracking and enforcement extremely difficult.

Security experts warn that North Korea-related threat actors are continuously adjusting their strategies, shifting from direct system intrusions to more covert personnel infiltration and platform abuse. With the proliferation of crypto and remote work, related risks are expected to rise, posing major challenges for regulation and corporate cybersecurity defenses.