CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

First reported
Last updated
4 unique sources, 6 articles

Summary

Hide ▲

North Korean state-sponsored hackers, primarily the Lazarus Group and its Bluenoroff (APT38) subgroup, continue to aggressively target cryptocurrency-adjacent entities to fund the regime’s illicit activities. As of March 2026, confirmed thefts in 2025 exceeded $2 billion, with cumulative losses since 2017 surpassing $6.75 billion. Recent attacks now include e-commerce platforms like Bitrefill, where North Korean operators compromised employee devices to steal cryptocurrency and gift-card inventory. Investigations increasingly reveal sophisticated persistence, cross-chain laundering, and multi-vector social engineering, alongside new enforcement actions targeting facilitators in the U.S. Prior milestones include the record-setting Bybit breach in February 2025 ($1.5B), multiple exchange compromises (e.g., Upbit, BitoPro), and the conviction of five individuals for aiding North Korean IT worker fraud schemes that generated over $2.2M for the regime. North Korean hackers also continue to refine laundering pathways—employing mixers, bridges, obscure blockchains, and custom tokens—over approximately 45-day cycles. U.S. authorities have sought forfeiture of $15M in stolen crypto linked to APT38 and are dismantling ancillary networks used to funnel revenue to Pyongyang.

Timeline

  1. 19.03.2026 19:08 1 articles · 23h ago

    Bluenoroff group compromises Bitrefill in March 2026 crypto-heist attempt

    North Korea’s Bluenoroff subgroup (APT38/Lazarus) is blamed for a March 2026 cyberattack on Bitrefill, a crypto-powered gift card platform. The attack originated from a compromised employee laptop used to steal legacy credentials, access production secrets, and escalate to parts of Bitrefill’s database and cryptocurrency wallets. About 18,500 purchase records (including emails, IPs, and crypto addresses) and 1,000 customer names were exposed; decryption keys may have been obtained. Bitrefill characterized the incident as its most serious in its ten-year history, with minimal financial losses to be covered from capital, indicating the primary goal was cryptocurrency and gift-card inventory theft.

    Show sources
    Open in new tab
  2. 18.12.2025 03:00 1 articles · 3mo ago

    Lazarus Group Steals $36 Million from Upbit in November 2025

    The Lazarus Group, affiliated with Pyongyang's Reconnaissance General Bureau (RGB), is responsible for the theft of $36 million worth of cryptocurrency from South Korea's largest cryptocurrency exchange, Upbit, in November 2025. The Lazarus Group has siphoned at least $200 million from over 25 cryptocurrency heists between 2020 and 2023.

    Show sources
    Open in new tab
  3. 14.11.2025 22:11 2 articles · 4mo ago

    Five Plead Guilty to Aiding North Korean Cryptocurrency Theft

    Five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group. The facilitators used stolen identities to help DPRK agents get hired by American firms, affecting 136 companies and generating over $2.2 million in revenue for the DPRK regime. APT38 has been laundering funds from hacks via cryptocurrency bridges, mixers, exchanges, and OTC traders. Minh Phuong Ngoc Vong, a Maryland man, was sentenced to 15 months in prison for his role in the IT worker scheme.

    Show sources
    Open in new tab
  4. 07.10.2025 20:02 5 articles · 5mo ago

    North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

    The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge. Elliptic has attributed more than 33 additional hacks to North Korea so far this year. The actual stolen amount may be higher due to difficulties in attribution and unreported incidents. The 2025 total is almost triple last year’s tally, with most attacks conducted through social engineering. New laundering techniques include multiple mixing rounds, cross-chain transactions, obscure blockchains, and custom tokens. The hackers also exploit 'refund addresses' to redirect assets. Recently, five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group. The total amount stolen by North Korean hackers since 2017 exceeds $6.75 billion. The Bybit hack in February 2025 resulted in the theft of $1.5 billion.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

UNC4899 Exploits AirDrop to Compromise Crypto Firm's Cloud Environment

UNC4899, a North Korean threat actor, breached a cryptocurrency firm in 2025 by exploiting an AirDrop file transfer to a developer's work device. The attackers used social engineering to deliver a trojanized file, then pivoted to the cloud environment, employing living-off-the-cloud (LOTC) techniques to steal millions in cryptocurrency. The attack involved abusing DevOps workflows, harvesting credentials, and tampering with Cloud SQL databases. The incident highlights risks associated with personal-to-corporate P2P data transfers, privileged container modes, and insecure handling of secrets in cloud environments.

Open in new tab

North Korean APTs Leverage AI to Enhance IT Worker Scams

North Korea's state-linked APTs—particularly Jasper Sleet and Coral Sleet—continue to expand their IT worker scams using AI to fabricate identities, automate social engineering, and deploy malware, while simultaneously diversifying revenue streams to fund weapons programs. OFAC sanctions now confirm the scheme's scale and structure, revealing a multi-tiered network of recruiters, facilitators, IT workers, and collaborators that has infiltrated U.S. and international companies to steal sensitive data and extort victims. The use of AI tools like Faceswap for identity fabrication and Astrill VPN for geographic obfuscation underscores the sophistication of these operations, which are deeply embedded in North Korea's sanctions-evasion and revenue-generation machinery. Initial reporting by Microsoft documented how Jasper Sleet and Coral Sleet leverage AI to research job postings, generate fake resumes, create culturally tailored digital personas, and develop web infrastructure for malicious purposes. These groups use AI coding tools to refine malware and jailbreak LLMs to generate malicious code, complicating detection while enabling long-term persistence as insider threats. The scheme's expansion into malware deployment and extortion activities further increases its impact, with a significant portion of earnings funneled back to North Korea to support its missile programs.

Open in new tab

Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

North Korean state-backed hackers from the Lazarus group are targeting U.S. healthcare organizations and entities in the Middle East with Medusa ransomware in financially motivated extortion attacks. The Medusa ransomware-as-a-service (RaaS) operation has impacted over 366 organizations since its launch in 2023, with at least four additional healthcare and non-profit organizations in the U.S. targeted since November 2025. This is the first time Lazarus has been linked to Medusa ransomware, though they have been associated with other ransomware strains. The attacks use a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has provided indicators of compromise (IoCs) to help defenders prevent these attacks. The Stonefly sub-group of Lazarus, also known as Andariel, has been involved in ransomware operations for the past five years. Rim Jong Hyok, an alleged Stonefly member, was indicted by the US Justice Department for ransomware campaigns targeting US hospitals and healthcare providers. The US Justice Department announced a $10m reward for information related to Rim Jong Hyok.

Open in new tab

Figure Fintech Breach Exposes 967,200 Accounts via Social Engineering

Figure Technology Solutions, a blockchain-based fintech firm, suffered a data breach affecting nearly 1 million accounts. Hackers stole personal and contact information through a social engineering attack. The breach was attributed to the ShinyHunters extortion group, which leaked 2.5GB of data from loan applicants. The attackers impersonated IT support to trick employees into providing access to SSO accounts, gaining entry to various enterprise applications.

Open in new tab

Record $158bn in Illicit Crypto Activity in 2025

Illicit crypto wallets received an estimated $158bn in 2025, marking the highest level observed in five years. This represents a 145% increase from the previous year, driven by factors such as sanctions-evading activity, improved detection methods, large-scale hacks, and increased enforcement by stablecoin issuers. Despite the rise in absolute terms, illicit activity as a share of total blockchain flows declined to 1.2% in 2025, indicating a smaller proportion of new capital entering the crypto ecosystem being absorbed by bad actors. The increase in illicit activity was attributed to several factors, including a surge in sanctions-evading activity by countries like Venezuela, Iran, and Russia, improved identification of illegal crypto activity through the Beacon Network, and large-scale hacks such as the raid of Bybit by North Korean actors. Additionally, there was growth in blocklisted activity across multiple crime types, including sanctions evasion, terrorism financing, fraud, and hacking. Despite the significant increase in illicit activity, the proportion of illicit activity relative to total blockchain flows has decreased, suggesting that bad actors are absorbing a smaller share of new capital entering the crypto ecosystem.

Open in new tab