How North Korea Stole $3 Billion in Crypto and Why It Matters

Between 2017 and 2023, North Korean hackers stole $3 billion in cryptocurrency across 58 separate attacks. By 2024, that number jumped to $1.34 billion in just one year - more than double what was stolen the year before. Then, in February 2025, a single attack on Bybit stole nearly $1.5 billion in Ether, making it the largest crypto heist ever recorded. This isn’t random crime. It’s state-backed, highly organized, and directly tied to funding North Korea’s nuclear weapons program.

How They Do It: The LinkedIn Trap

North Korean hackers don’t break into systems with brute force. They get you to invite them in. One of their most effective tactics? Fake job offers on LinkedIn.

In early 2024, attackers posed as recruiters from fake tech companies. They reached out to employees at Ginco, a Japanese company that builds enterprise crypto wallets. The victims were told to complete a coding test as part of the hiring process. The test? A Python script hosted on GitHub. It looked harmless. It wasn’t.

Once opened, the script installed malware that monitored the employee’s computer. Within weeks, the hackers stole session cookies - digital keys that let users stay logged in. With those, they impersonated the employee and slipped into Ginco’s internal systems. No firewalls bypassed. No passwords cracked. Just a simple, clever lie.

From there, they waited. They watched. They studied how real transactions were approved. Then, in May, they manipulated a legitimate request from DMM, a Japanese crypto platform. The hackers changed the destination address on a transfer - and walked away with 4,502.9 BTC, worth $308 million at the time.

This isn’t an isolated case. The same pattern shows up in other attacks. They target employees with access to wallet systems. They build trust. They wait. Then they strike during normal business hours, hiding in plain sight.

The Bigger Heist: Bybit and the $1.5 Billion Ether Theft

The February 2025 attack on Bybit changed everything. Hackers stole nearly $1.5 billion in Ether - more than the total stolen in all 47 crypto heists of 2024 combined. Chainalysis confirmed it was the biggest theft in crypto history.

What made this different? Scale and speed. The attackers didn’t just steal. They moved. Fast. Within hours, they began converting Ether into Bitcoin and other coins using decentralized exchanges. They split the funds across hundreds of wallets. They used cross-chain bridges - tools that let you move crypto between blockchains - to muddy the trail.

Blockchain analysts from TRM Labs traced parts of the stolen funds to wallets previously linked to North Korea’s Lazarus group. The FBI confirmed it. This wasn’t just a hack. It was a financial operation designed to bypass sanctions.

Why North Korea Does This

North Korea is under some of the strictest sanctions in the world. They can’t sell oil. They can’t import weapons parts. They can’t easily move money through banks. But they can steal crypto.

Crypto is anonymous. It’s global. It doesn’t need banks. And once it’s moved across enough blockchains, even the best investigators struggle to trace it. The stolen money doesn’t go to luxury cars or private jets. It buys missiles, uranium, and warheads.

U.S. intelligence agencies, the UN, and Japan’s National Police Agency all agree: North Korea uses crypto theft to fund its weapons programs. The money from the Bybit heist alone could pay for dozens of missile launches. That’s why this isn’t just a crypto problem - it’s a national security issue.

Who’s Behind It?

North Korea doesn’t have one hacking group. It has several, all working under military control. The most notorious is Lazarus - a team linked to over 20 major crypto heists since 2017. But there’s also TraderTraitor, Jade Sleet, UNC4899, and Slow Pisces. Each has its own specialty.

- Lazarus: Masters of large-scale heists and malware. Responsible for the Bybit attack and the DMM hack.

- TraderTraitor: Focused on wallet providers. Hit Atomic Wallet, Alphapo, and CoinsPaid in 2023.

- Jade Sleet: Specializes in social engineering. Uses fake job offers, phishing emails, and LinkedIn scams.

These groups don’t compete. They share tools, techniques, and intelligence. They’re not criminals. They’re soldiers.

How Much Has Been Stolen? The Numbers

The total stolen by North Korean hackers since 2017 is now over $5 billion. Here’s how it broke down:

• 2017-2023: $3 billion across 58 attacks
• 2023: $660.5 million across 20 attacks
• 2024: $1.34 billion across 47 attacks - a 103% increase
• February 2025: $1.5 billion from Bybit (single attack)

In 2024, North Korean groups stole 61% of all cryptocurrency taken globally - even though they only carried out 20% of the attacks. That means they’re not just active. They’re efficient. They pick the right targets. They execute with precision.

Why Crypto Exchanges Keep Getting Hit

Most crypto platforms still rely on outdated security. Many use single-signature wallets - meaning one person’s access key can unlock millions. Some don’t monitor employee behavior. Others don’t check for suspicious logins.

After the DMM hack, Ginco admitted they didn’t have multi-factor authentication for internal systems. Bybit didn’t limit how much Ether could be moved in a single transaction. These aren’t mistakes. They’re blind spots.

The worst part? Hackers know it. They don’t attack random platforms. They pick the ones with weak internal controls. They study employee routines. They wait for holidays or weekends - times when security teams are thin.

What’s Being Done?

The FBI, Japan’s National Police Agency, and the UN are working together to track the money. They’ve frozen wallets. They’ve named names. They’ve issued public alerts.

But enforcement is hard. North Korea doesn’t have extradition treaties. Its hackers operate from safe zones inside China and Russia. Even if you identify them, you can’t arrest them.

Crypto platforms are responding. Many now require:

• Multi-signature wallets (requiring 3+ approvals to move funds)
• Behavioral monitoring (flagging unusual login times or locations)
• Employee training on social engineering (like the LinkedIn scam)
• Real-time blockchain analysis tools (to detect suspicious transfers)

Still, the attackers adapt. They’ve started using privacy coins like Monero and Zcash to hide transactions. They’ve built fake DeFi protocols to launder stolen funds. They’re always one step ahead.

What This Means for You

If you hold crypto, this isn’t just about big exchanges. It’s about trust. Every time a platform gets hacked, confidence drops. Prices swing. Users panic. Insurance costs rise.

The real lesson? Security isn’t just about passwords. It’s about culture. It’s about how companies treat their employees, how they monitor access, and how they respond to threats.

The $5 billion stolen by North Korea didn’t vanish into thin air. It went into missiles. Into bombs. Into weapons aimed at global stability. That’s why this isn’t just a crypto story. It’s a warning.