How North Korea Stole $3 Billion in Crypto and Why It’s Still Happening
Between 2017 and 2025, North Korean hackers stole more than $3 billion in cryptocurrency - not through brute force, but by tricking people. Not banks. Not servers. People. Employees at crypto companies who clicked the wrong link, opened the wrong file, or answered a LinkedIn message that seemed too good to be true. And it’s not slowing down.
The $1.5 Billion Bybit Heist That Changed Everything
In February 2025, hackers stole nearly $1.5 billion in Ether from Bybit, a major cryptocurrency exchange based in Dubai. That’s more than all the crypto thefts from North Korea in 2024 combined. It wasn’t a glitch. It wasn’t a bug. It was a surgical strike. The attackers didn’t break into the system - they walked in through the front door.
How? They used a technique called session hijacking. First, they targeted employees at a Japanese wallet software company called Ginco. They posed as recruiters on LinkedIn. One employee downloaded a Python script labeled as a "pre-employment test." That script was malware. It gave the hackers access to the employee’s login session. Then, they waited. For weeks. Watching. Learning. Until they saw a real transaction request from a Bybit employee. They copied it. Changed the destination address. And sent $1.5 billion to wallets they controlled.
Chainalysis, the top blockchain intelligence firm, called it the largest single crypto theft in history. And it wasn’t even the biggest operation of the year.
Who’s Behind It? The Lazarus Group and Its Allies
North Korea doesn’t have a single hacker group - it has a whole army. The most famous is Lazarus, but they also use TraderTraitor, Jade Sleet, UNC4899, and Slow Pisces. These aren’t lone wolves. They’re state-funded, highly trained units operating out of Pyongyang with direct ties to the regime’s military intelligence.
These groups don’t just steal. They launder. After stealing Ether from Bybit, they split it across dozens of wallets. Then they used decentralized exchanges and cross-chain bridges to turn it into Bitcoin, Tether, and other coins that are harder to trace. Some funds flowed through mixers. Others were moved through fake NFT trades. The goal isn’t just to steal - it’s to make the money disappear.
Why? Because North Korea is under crippling sanctions. They can’t sell oil. They can’t buy weapons. They can’t get cash from foreign banks. So they turned to crypto. Every dollar stolen goes straight into their nuclear and missile programs. The U.S. Treasury and the United Nations have confirmed this link. It’s not speculation. It’s intelligence.
Why Are They So Successful?
Most crypto hacks happen because of bad code. North Korean hacks happen because of bad people.
They don’t exploit technical flaws. They exploit trust. They spend months building relationships. They research employees on LinkedIn. They learn their hobbies, their job titles, even their family names. Then they send a message that feels real: "Hey, I saw your profile - we’re hiring for a remote Python role. Here’s a test."
Once inside, they don’t rush. They wait. They watch how transactions are approved. They learn who has access to cold wallets. They copy the exact language used in internal emails. Then they strike - during normal business hours, when no one is looking.
Compare that to other hackers. Most cybercriminals use automated bots. North Korea uses human intelligence. They hire linguists. They train in social psychology. They study corporate culture. They’re not hackers. They’re spies with code.
The Numbers Don’t Lie
In 2023, North Korean groups stole $660 million across 20 attacks.
In 2024, they stole $1.34 billion across 47 attacks - a 103% increase. And they didn’t just steal more. They stole smarter. They hit bigger targets. They moved faster. And they got better at covering their tracks.
By 2024, North Korea was responsible for 61% of all crypto theft worldwide - even though they only carried out 20% of the attacks. That means each of their operations was worth nearly three times more than average. They don’t spam. They don’t spray and pray. They pick one target. They study it. Then they take everything.
The total stolen from North Korean operations since 2017 now exceeds $5 billion - not including the Bybit heist. That’s more than the GDP of some small countries.
What’s Being Done About It?
The FBI, Japan’s National Police Agency, and the Department of Defense Cyber Crime Center have been tracking these groups for years. They’ve published detailed reports. They’ve named names. They’ve frozen wallets. They’ve pressured exchanges to block suspicious addresses.
But here’s the problem: crypto is global. Bybit is in Dubai. Ginco is in Japan. The stolen money flows through wallets in Southeast Asia and Eastern Europe. There’s no single government that can shut it down.
Exchanges have responded by adding multi-signature wallets, stricter employee training, and real-time blockchain monitoring. Some now require facial recognition for large withdrawals. Others use AI to flag unusual transaction patterns.
But none of it matters if an employee still clicks a fake job offer.
Why This Isn’t Just a Crypto Problem
This isn’t just about wallets and private keys. It’s about national security.
Every dollar stolen from a crypto exchange helps North Korea build a missile that can reach the U.S. mainland. Every Bitcoin laundered funds a nuclear warhead. The U.S. government has classified these attacks as acts of war - not because they’re violent, but because they’re strategic.
And unlike traditional warfare, there’s no battlefield. No soldiers. No flags. Just a recruiter message on LinkedIn. A Python file. A few minutes of trust. And billions gone.
What You Can Do (If You Work in Crypto)
If you’re an employee at a crypto company - or even if you just use crypto - here’s what you need to know:
- Never download files from unsolicited LinkedIn messages - even if they look legit.
- Verify every job offer through the company’s official website - not through a message.
- Use multi-factor authentication on every account - no exceptions.
- Report suspicious activity immediately. Don’t wait. Don’t hope it’s a mistake.
- Ask your company: Do we monitor employee access to wallets? Do we require dual approval for large transfers?
Most hacks happen because someone didn’t ask a simple question: "Wait - why am I getting this?"
What’s Next?
North Korea won’t stop. As sanctions tighten, their need for cash grows. And as crypto becomes more mainstream, their targets get bigger.
Expect more attacks on DeFi protocols, stablecoin issuers, and institutional custody platforms. Expect longer preparation times. Expect more sophisticated social engineering. And expect more money to vanish - quietly, without a trace.
The only thing that can stop them is awareness. Not technology. Not firewalls. Not encryption. People who know what to look for.
Because the next $1.5 billion heist won’t start with a hack. It’ll start with a message.
How did North Korea steal $3 billion in crypto?
North Korean hackers used social engineering - not technical exploits - to steal billions. They posed as recruiters on LinkedIn, tricked employees into installing malware, hijacked login sessions, and manipulated legitimate transactions. Their most famous attack, the $1.5 billion Bybit hack in February 2025, involved months of planning and targeted specific employees with access to wallet systems.
Who are the main hacking groups behind these attacks?
The primary groups are Lazarus, TraderTraitor, Jade Sleet, UNC4899, and Slow Pisces. These are state-sponsored units funded by North Korea’s military intelligence. Lazarus is the most well-known, but all groups use similar tactics: long-term infiltration, precise timing, and advanced laundering techniques to hide stolen funds.
Why does North Korea target cryptocurrency?
International sanctions have cut off North Korea’s access to traditional banking and foreign currency. Crypto allows them to bypass these restrictions. Stolen digital assets can be converted into Bitcoin, Tether, or other coins, then moved across borders without detection. The funds directly finance their nuclear weapons and ballistic missile programs, according to U.S. and UN intelligence reports.
Is crypto becoming too dangerous to use?
No - but the risks are real. Most thefts happen at exchanges and companies with weak internal security, not at personal wallets. Regular users who use reputable platforms and enable two-factor authentication face minimal risk. The danger is for employees and institutions handling large sums. Better training and stricter access controls can prevent most attacks.
Can stolen crypto be recovered?
Rarely. Once funds are moved through multiple wallets and cross-chain bridges, tracing them becomes nearly impossible. Some small amounts have been recovered when hackers made mistakes - like reusing wallet addresses or failing to fully obscure transaction trails. But for major heists like Bybit, recovery is unlikely. The focus is now on prevention and blocking future transfers.
What’s the biggest mistake crypto companies make?
Over-relying on technology and underestimating people. Many companies invest in advanced security tools but skip basic employee training. North Korean hackers don’t break systems - they break trust. If an employee can be tricked into giving access, no firewall will help. The weakest link isn’t the server - it’s the person sitting at the desk.
Are there any warning signs of a phishing attack?
Yes. Watch for: unsolicited job offers via LinkedIn or email, requests to download files labeled as "tests" or "forms," messages with urgent language, and links that look almost real but have slight typos in the domain. Always verify the sender’s identity through official channels - never reply to the message directly.
Nitesh Bandgar
November 4, 2025 AT 09:13Oh my GOD this is THE most dramatic thing I’ve read all year-like, imagine being that one employee who just wanted a remote job and ended up funding a nuclear missile? I’m not even kidding-I just checked my LinkedIn and deleted three "recruiter" messages that smelled like a North Korean fever dream. This isn’t hacking-it’s psychological horror with a Python script.
Megan Peeples
November 4, 2025 AT 10:03And yet… no one in corporate America will ever change. Companies still let interns handle wallet keys. They still use "password123" on their admin panels. And they still think "training" means watching a 12-minute video while eating lunch. This isn’t a crypto problem-it’s a human resources problem wrapped in a security theater costume.
Sarah Scheerlinck
November 6, 2025 AT 07:45I work in fintech. Last month, someone sent me a "Google Form" to update my payroll info. It looked perfect-same logo, same font, even the same typo in the footer that our real HR form has. I didn’t click. I reported it. But half the team did. We lost $80k to a phishing scam that cost them five minutes of trust. This isn’t about tech. It’s about how tired people are. They just want to get through the day. And that’s the vulnerability.
Chloe Walsh
November 6, 2025 AT 18:11So we’re supposed to believe that a nation with no internet access, no decent coffee, and a leader who wears oversized suits can outsmart Silicon Valley’s best engineers? Please. This is just media hype. They’re not hackers-they’re cartoon villains. The real story is how scared we’ve become of our own shadows. I’ve never clicked a LinkedIn job post. I don’t even have a LinkedIn. And I’m still alive.
Stephanie Tolson
November 7, 2025 AT 06:54If you work in crypto, this isn’t optional knowledge-it’s survival. I train new hires every week. I don’t just show them how to enable 2FA. I make them role-play being the hacker. I say: "You’re a recruiter. You know this person likes dogs and runs marathons. You found their dog’s name on Instagram. Now write the message." Half of them cry. The other half finally get it. Awareness isn’t a policy. It’s a practice.
Evan Koehne
November 7, 2025 AT 20:02Wow. So North Korea is the world’s first state-sponsored phishing operation? Groundbreaking. Next you’ll tell me they use PowerPoint to plan missile launches. Meanwhile, the U.S. government spends $20 billion a year on cybersecurity and still can’t stop interns from downloading "pre-employment tests." Maybe the problem isn’t the hackers. Maybe it’s the people who keep hiring interns.
Grace Huegel
November 9, 2025 AT 04:24I read the entire post. Twice. I still don’t know what to feel. Sad? Angry? Numb? We’re living in a world where a single click can fund genocide. And yet, we scroll past these headlines like they’re sponsored content. We’ve normalized existential risk. It’s not that we’re careless. It’s that we’ve given up on caring. Because what’s the point? The money’s already gone.
Jessica Arnold
November 10, 2025 AT 23:48What’s being overlooked here is the epistemological rupture: the collapse of institutional trust as a vector of attack. Traditional cybersecurity models assume adversarial intent is rooted in code. But here, the adversary exploits the phenomenology of trust-Lacanian desire, Foucauldian surveillance, Derridean différance-all mediated through LinkedIn’s algorithmic intimacy. The vulnerability isn’t the endpoint; it’s the intersubjective space between expectation and verification. We’re not being hacked. We’re being unmoored.
Vipul dhingra
November 11, 2025 AT 08:19karan thakur
November 11, 2025 AT 18:51Let’s be real-this is all a CIA psyop. The U.S. government created these "North Korean hackers" to justify more sanctions, more wars, more control over crypto. The Bybit heist? Probably done by a private equity firm trying to crash the market. The "evidence"? All from Chainalysis, which is owned by a former NSA contractor. Wake up. The real thieves are the ones in suits with access to SWIFT.
Jacque Hustead
November 13, 2025 AT 08:11My cousin works at a crypto startup. She got the exact same "Python test" message. She forwarded it to IT. They laughed. Said it looked legit. Two weeks later, her account was used to transfer $300k. She quit. Now she teaches yoga in Bali. I told her she was lucky. But honestly? I’m terrified. We’re all one bad link away from becoming a footnote in a geopolitical tragedy.
Anthony Allen
November 13, 2025 AT 17:20Just had a quick chat with my boss about this. We’re rolling out mandatory monthly social engineering drills. Not a quiz. Not a video. Real role-play. Someone pretends to be a recruiter. Someone else pretends to be a manager asking for a wire transfer. We track who falls for it. Last month, 6 out of 12 people sent fake money to a dummy wallet. We’re not fixing tech. We’re fixing culture. Slowly. But we’re trying.