How North Korea Stole $3 Billion in Crypto and Why It’s Still Happening

Between 2017 and 2025, North Korean hackers stole $3 billion in cryptocurrency - not through brute force, but by tricking people. Not computers. People. Employees at wallet companies. Developers at crypto startups. Even recruiters on LinkedIn. This wasn’t random crime. It was a state-run operation, carefully planned, patient, and terrifyingly effective.

How They Did It: The LinkedIn Trap

In March 2024, a recruiter reached out to a software engineer at Ginco, a Japanese company that builds enterprise crypto wallets. The message was professional. The resume looked real. The job offer? Too good to pass up. The candidate was asked to complete a simple Python coding test hosted on GitHub. It was a trap. The file wasn’t a test - it was malware. Once installed, it gave hackers full access to the engineer’s work system.

Over the next two months, the attackers watched. They waited for the right moment. They copied session cookies. They learned how the company’s internal systems worked. Then, in May, they struck. A legitimate employee at DMM, a Japanese crypto platform, requested a transaction. The hackers intercepted it. They changed the destination wallet. And $308 million in Bitcoin vanished.

This wasn’t an isolated case. The same pattern repeated across dozens of attacks. North Korean groups like Lazarus and TraderTraitor didn’t break into systems. They walked in through the front door - disguised as job applicants, consultants, or vendors. They exploited trust, not code.

The $1.5 Billion Bybit Heist

The biggest single theft in crypto history didn’t happen in 2024. It happened in February 2025. Hackers stole nearly $1.5 billion in Ether from Bybit, a Dubai-based exchange. That’s more than the total stolen in all 47 North Korean attacks combined during 2024.

What made this different? Scale. Speed. Sophistication.

The attackers didn’t just drain one wallet. They drained the entire hot wallet - the one used for daily withdrawals. They used a combination of compromised internal credentials and a zero-day vulnerability in a third-party service. Once inside, they moved the funds through a chain of decentralized exchanges and cross-chain bridges, turning Ether into Bitcoin, then into Monero - a privacy coin nearly impossible to trace.

Chainalysis, the leading blockchain analytics firm, confirmed the fingerprints matched North Korean operations: the same wallet patterns, the same laundering routes, the same timing. This wasn’t just theft. It was a financial weapon.

Why North Korea? The Sanctions Loop

North Korea is under some of the strictest sanctions in the world. No oil imports. No banking access. No global trade. But it still needs to buy missiles, uranium, and advanced electronics. How?

Crypto. Since 2017, Pyongyang has turned digital theft into its primary revenue stream. The UN reported in late 2024 that stolen crypto funds directly support its weapons programs. Every Bitcoin stolen is a rocket fuelled. Every Ether laundered is a warhead paid for.

And it works. In 2024, North Korean groups stole 61% of all cryptocurrency lost to hacking - more than all other criminal groups combined. They didn’t need to be the most numerous. They just needed to be the most precise.

Why Are They So Good?

Most hackers want quick cash. North Korean hackers want long-term funding. That changes everything.

They spend months inside a company. They study workflows. They wait for holidays, when fewer people are watching. They target employees with access to multiple systems - not just one admin account. They use open-source tools, not custom malware, making detection harder.

They also adapt fast. When exchanges started using multi-signature wallets, North Korean hackers shifted to targeting the people who manage those wallets - not the wallets themselves. When platforms added two-factor authentication, the hackers started stealing session cookies before users logged in.

And they have resources. Unlike criminal gangs, they’re backed by a government with a dedicated cyber unit, training centers, and a steady supply of skilled coders. They’re not freelancers. They’re soldiers.

What’s Being Done?

The FBI, Japan’s National Police Agency, and South Korea’s National Intelligence Service have all publicly linked these attacks to North Korea. They’ve issued warnings. They’ve frozen wallets. They’ve pressured exchanges to improve security.

But the damage is already done. Over $5 billion has been stolen since 2017. And the attacks aren’t slowing down - they’re accelerating.

Exchanges now spend millions on blockchain monitoring tools. Some require employees to use hardware tokens, isolated workstations, and mandatory cybersecurity training. Insurance premiums for crypto platforms have doubled in the last two years. Users are losing trust.

Yet, the hackers keep winning. Why? Because no amount of encryption can stop a person from clicking a link they think is real.

What You Can Do - Even If You’re Not a Company

If you hold crypto, you’re indirectly affected. When exchanges get hacked, prices drop. When trust erodes, adoption slows. Here’s what you can do:

• Use a hardware wallet - not an exchange wallet. If you don’t control the keys, you don’t own the crypto.
• Check the history of any platform you use. Has it been hacked before? How did they respond?
• Never click links from unsolicited job offers, even if they look professional. Verify the company independently.
• Enable two-factor authentication everywhere - and use an authenticator app, not SMS.
• Don’t store large amounts of crypto on devices connected to the internet.

The Bigger Picture

This isn’t just about crypto. It’s about how nations bypass global rules. North Korea doesn’t need to build a nuclear bomb factory. It just needs one engineer to click a link.

The $3 billion stolen isn’t just money. It’s a signal. It shows that in the digital age, borders mean little. Sanctions can be bypassed. Governments can be hacked. And the weakest link isn’t a server - it’s a human.

The next big heist is already being planned. The question isn’t if it will happen. It’s who will be next - and whether you’re ready.