Kim Hyun-bin began his journalism career at Arirang TV from 2012 to 2017, specializing in defense, foreign affairs and the economy. In 2018, he joined The Korea Times, covering society and business, and is currently responsible for embassy affairs.
N. Korea ramps up cybertheft following $2.3 bil. crypto haul: report
gettyimagesbank
By Kim Hyun-bin
To counter Pyongyang’s hackers, experts urge adoption of more sophisticated surveillance methods
North Korea has refined its cryptocurrency hacking operations, carrying out fewer but far more lucrative attacks on major targets and deploying increasingly sophisticated laundering techniques to evade detection, according to a report by the blockchain analytics firm Chainalysis.
In a preview of its Crypto Crime 2026 report, Chainalysis revealed that North Korean hackers siphoned a record $2.02 billion in cryptocurrency in 2025. This 51 percent surge from the previous year highlights the regime’s intensifying reliance on digital theft to bypass global sanctions and fund state priorities. The windfall brings the total amount stolen by Pyongyang-linked actors to approximately $6.75 billion since records began, underscoring a deepening crisis for international cybersecurity.
While the number of confirmed attacks declined sharply, the overall value of thefts increased, driven by a handful of extraordinarily large breaches, the analysis found.
“The year’s data highlight a shift toward fewer but larger thefts — with the biggest three hacks alone accounting for a majority of all service losses,” the report said.
Pyongyang’s cyber operatives now account for roughly three-quarters of all major crypto service compromises in 2025, despite a drop in total incidents.
Once focused on exploiting loosely secured decentralized finance protocols, North Korean hackers in 2025 shifted their attention back to centralized exchanges and core infrastructure, analysts said. Among the most notable was a $1.5 billion exchange breach in February, one of the largest single thefts recorded for the year.
The report also details distinctive post-theft behavior by North Korean groups.
Rather than moving large stolen sums at once, they often structure transfers in smaller chunks to many addresses, complicating monitoring efforts by authorities and exchanges.
Chainalysis’s on-chain data shows that more than 60 percent of North Korean-linked movement volume is structured in transfers below $500,000, a pattern that contrasts sharply with other illicit actors.
“North Korean actors exhibit distinctive laundering preferences that differ materially from other threat groups — a behavioral footprint that compliance and detection systems can use to help identify suspicious flows,” the report states.
Beyond pure technical exploits, North Korean hackers have also blended social engineering with technical methods, at times impersonating recruiters and strategic partners to obtain privileged access to systems, according to the Chainalysis analysis.
As Pyongyang continues to weaponize cybertheft to evade international sanctions, Chainalysis is urging the cryptocurrency industry to adopt more sophisticated defenses. The firm advocates for a shift toward pattern-based surveillance tools — forensic methods that move beyond blunt metrics like transaction size or volume to identify the subtle behavioral signatures and rhythmic maneuvers unique to state-sponsored hackers.
“Detection efforts should prioritize not only known signatures but also evolving operational behavior and laundering patterns unique to state-linked actors,” the report said.
Analysts warn that without such adaptive strategies, high-impact breaches will remain a persistent global threat.