Buy Crypto Markets Spot FuturesGOLD Earn Event Center

Overview North Korea is the only regime on earth that has turned cryptocurrency theft into an explicit national strategy. Since its first on-chain heist in 2017, the regime's infamous Lazarus Group haOverview North Korea is the only regime on earth that has turned cryptocurrency theft into an explicit national strategy. Since its first on-chain heist in 2017, the regime's infamous Lazarus Group ha

Why North Korea Openly Steals Crypto: Inside the World's Most Brazen State-Sponsored Heist Operation

#Bitcoin

2026/04/13 15:46

Overview

North Korea is the only regime on earth that has turned cryptocurrency theft into an explicit national strategy. Since its first on-chain heist in 2017, the regime's infamous Lazarus Group has stolen an estimated $6.75 billion in digital assets — capping 2025 with a record-breaking single-event theft of $1.5 billion from Bybit. This is not opportunistic cybercrime. It is a systematic, state-directed campaign by a sanctions-isolated regime that has found in crypto's irreversibility and borderlessness the perfect substitute for an economy it can no longer legally access. This article examines why North Korea does this, how it works, and what it means for the broader crypto ecosystem.

Key Takeaways

Lazarus Group has stolen over $6.75 billion in crypto since 2017; in 2025 alone, the total surpassed $2 billion — a new annual record

Crypto theft is North Korea's primary source of hard currency, explicitly confirmed by the U.S. Intelligence Community as a funding mechanism for nuclear and ballistic missile programs

North Korea "openly" steals — on traceable public blockchains — because it has no real economy to fall back on; unlike Russia or Iran, Pyongyang cannot afford patience or subtlety

Lazarus Group operates like a military unit: 24/7 shifts, sophisticated social engineering, supply chain attacks, and long-term corporate infiltration via fake IT workers

Every major theft has accelerated industry security evolution — but as long as sanctions remain, so will the attacks

I. The Structural Logic: Why Crypto, Why Openly?

To understand North Korea's crypto campaign, you first need to understand its economic predicament.

Since its first nuclear test in 2006, Pyongyang has faced layer upon layer of UN, U.S., and EU sanctions, cutting off access to nearly every conventional revenue stream — financial services, commodities, arms. Traditional banking is effectively closed to the regime.

Cryptocurrency offered something unprecedented: a monetary system with no correspondent banks, no compliance checks, and no reversibility. As security expert Dave Schwed explained to Symplexia Labs, North Korea "doesn't have the luxury of patience" — it needs hard currency for weapons programs and crypto theft has been confirmed by the UN and multiple intelligence agencies as the primary mechanism.

This explains why North Korea's approach looks nothing like Russia's or Iran's. Russia routes money through crypto to work around payment friction; Iran uses it to fund proxy networks. Both still have physical economies — oil, gas, trade partners. For Pyongyang, as CoinDesk's deep investigation concluded, crypto isn't a payment rail. It is a replacement for a sanctioned-out economy — and that existential urgency is what makes North Korea uniquely dangerous to the crypto ecosystem specifically.

The architecture of crypto itself amplifies the advantage. Alexander Urbelis, CISO at ENS Labs, noted that once a transaction is signed and confirmed on-chain, it is final. The Bybit exploit transferred $1.5 billion in roughly 30 minutes — a pace and scale that would be nearly impossible in traditional banking, where compliance checks, settlement delays, and the possibility of wire reversals create a defensive window.

II. Lazarus Group: From Hacktivists to the World's Premier Crypto Thieves

Lazarus Group is not a state-*sponsored* hacking group in the conventional sense. According to TRM Labs, "Lazarus Group is North Korea, and North Korea is Lazarus Group" — it operates as a direct arm of the Reconnaissance General Bureau, the regime's primary intelligence organization.

The group's trajectory in crypto tells its own story:

2017: Stole $7 million from South Korean exchange Bithumb, marking its entry into crypto theft — timed precisely with the most severe post-nuclear-test sanctions

2022: Drained $620 million from the Axie Infinity Ronin Bridge, the largest DeFi exploit in history at the time

2023: Hit CoinEx, Atomic Wallet ($100M), Stake.com ($41M), and others in rapid succession

2024: Chainalysis attributed $1.34 billion in theft to DPRK-linked actors — 61% of all crypto stolen globally that year

February 21, 2025: Bybit was hit for nearly $1.5 billion in Ethereum — the single largest crypto theft ever recorded. Full-year 2025 total exceeded $2 billion

The trend is more alarming than the headline numbers. According to Chainalysis, the number of North Korean attacks actually fell 74% year-over-year in 2025, but the value stolen per incident skyrocketed — indicating a deliberate shift toward fewer, higher-value, more precisely planned operations.

III. The Attack Playbook: How North Korea Does It

Lazarus Group does not rely on a single exploit. It deploys a layered, evolving set of tactics:

Spear-Phishing and Social Engineering

Nearly all major heists begin with social engineering rather than brute-force hacking. Operators build false identities on LinkedIn, GitHub, and Telegram, posing as recruiters or fellow developers. According to Hacken.io's analysis, Lazarus operatives work nearly around the clock in shifts, engaging targets for weeks before deploying malware. The Ronin Bridge hack — $620 million — originated from a fake LinkedIn job offer sent to a senior Axie Infinity engineer.

Supply Chain Attacks

The Bybit breach was triggered not by a direct attack on Bybit itself, but by compromising a developer machine at Safe{Wallet}, a third-party multisig platform. A malicious transaction was injected into what appeared to be a routine wallet management operation. As Chainalysis has noted, 2025 saw Lazarus double down on coordinated supply chain attacks targeting fund custodians and third-party service providers.

IT Worker Infiltration

Perhaps the most insidious tactic: North Korea deploys operatives — often trained programmers — under false identities to secure legitimate employment at crypto firms, AI companies, and defense contractors. Chainalysis reported that more than a dozen crypto companies were infiltrated by North Korean IT workers posing as software developers in 2024 alone, giving attackers long-term, authenticated access to internal infrastructure.

IV. After the Theft: An Industrial Laundering Machine

Stealing the crypto is only half the operation. Converting blockchain-traceable stolen funds into usable hard currency is the other half — and North Korea has industrialized that process too.

The pace of Bybit's post-theft laundering shocked the industry:

Within two days: $160 million moved through illicit channels

Within 17 days: 86.29% of stolen ETH converted to Bitcoin

Typical full laundering cycle: approximately 45 days

TRM Labs' global policy head Ari Redbord called it "an amount that would have been unimaginable to move this quickly just a year ago," suggesting North Korea's laundering infrastructure has dramatically expanded.

The route follows a layered path: mixers (Tornado Cash, others) → cross-chain bridges → DEX token swaps → OTC brokers predominantly in China and Southeast Asia → fiat conversion via Chinese UnionPay cards into DPRK-controlled bank accounts. Chainalysis found that North Korea preferentially uses Chinese-language laundering services to process stolen funds.

V. Where Does the Money Go?

The money's ultimate destination is the question that drives international concern.

U.S. Senators Warren and Reed wrote directly to the Treasury Department that "North Korea relies on cryptocurrency theft to subvert U.S.-led international sanctions… These stolen assets have helped keep the regime afloat and supported continued investments in its nuclear and conventional weapons programs."

The U.S. Treasury's OFAC action in November 2025 was blunt: Under Secretary John K. Hurley stated that "North Korean state-sponsored hackers steal and launder money to fund the regime's nuclear weapons program" and that this directly threatens U.S. and global security.

The UN Multilateral Sanctions Monitoring Team's report found that in 2024, crypto theft proceeds — combined with arms sales to Russia — became the majority of DPRK's foreign currency earnings, likely exceeding pre-2016 sanction-era income levels. Roughly 40% of stolen proceeds are estimated to directly fund nuclear arms and weapons development.

VI. What This Means for the Crypto Industry

Each major North Korean operation leaves a permanent mark on the industry's security landscape:

Multisig and custody security: The Bybit breach exposed vulnerabilities in multisig infrastructure and third-party signing platforms that even large, well-resourced exchanges had not fully addressed.

Hiring due diligence: The IT worker infiltration campaigns have prompted widespread adoption of enhanced identity verification in crypto hiring, including in-person verification requirements and government ID cross-checks.

On-chain monitoring: The Bybit response demonstrated the value of real-time blockchain surveillance — Chainalysis and TRM Labs tracking contributed to freezing a portion of laundered funds at exchanges.

Information sharing: Security experts broadly agree that the only effective counter to state-level threats is rapid, systematic intelligence sharing across platforms, analytics firms, and law enforcement. Chainalysis analyst Fierman noted that "as long as there is crime, illicit financial activity will continue to occur" — but coordinated response can significantly reduce the opportunity window.

For individual traders and investors, operating on regulated, security-mature platforms remains the most direct risk mitigation available. At MEXC and other major exchanges with multi-layered security architectures, user assets benefit from institutional-grade protection and real-time threat monitoring.

Join millions of users on MEXC — professional-grade security, deep liquidity, and a world-class trading experience.

Create Your Free MEXC Account Now

Frequently Asked Questions

Q1: What exactly is North Korea's Lazarus Group?

Lazarus Group is a state-directed hacking organization operating as a direct arm of North Korea's Reconnaissance General Bureau (RGB), first documented by the U.S. government as early as 2007. It is not a "state-sponsored" group in the loosely affiliated sense — it is functionally the same entity as the North Korean state's offensive cyber apparatus, responsible for both espionage and the systematic theft of cryptocurrency.

Q2: How much has North Korea stolen in total?

According to Chainalysis, DPRK-linked actors have stolen more than $6.75 billion in cryptocurrency since 2017. The 2025 total alone exceeded $2 billion — a new annual record — with the $1.5 billion Bybit theft in February accounting for the bulk.

Q3: How did the Bybit hack actually work?

Lazarus Group compromised a developer machine at Safe{Wallet}, a third-party multisig signing platform used by Bybit. They injected malicious code into what appeared to be a routine cold-to-hot wallet transfer, bypassing multi-signature authorization checks and redirecting approximately $1.5 billion in ETH to attacker-controlled addresses. The FBI formally attributed the attack to North Korea on February 26, 2025.

Q4: Why doesn't North Korea try to be more discreet?

Because it can't afford to be. Unlike Russia or Iran, North Korea has no real economy — no oil, no gas, no legitimate trade partners willing to work around sanctions at scale. It must generate hard currency quickly and in large volumes, which means accepting the traceability risk of large on-chain thefts. The regime's existential economic pressure makes "brazen and fast" more rational than "subtle and slow."

Q5: What percentage of stolen crypto funds North Korea's weapons programs?

Based on UN and U.S. government estimates, approximately 40% of stolen cryptocurrency proceeds are directly allocated to nuclear arms and ballistic missile development. The remainder supports broader regime operations and sanctions evasion infrastructure.

Q6: How can crypto users and platforms protect themselves?

For platforms: multi-layered security audits, hardware-level protections for signing keys, rigorous employee background verification (including in-person), real-time on-chain monitoring, and active intelligence sharing with blockchain analytics providers. For users: enable 2FA on all accounts, use reputable regulated exchanges, be extremely skeptical of unsolicited "job offers" from unknown parties, and avoid storing large amounts in non-custodial wallets unless you have advanced security hygiene.

Disclaimer

This article is produced by the MEXC Crypto Pulse Team for informational purposes only and does not constitute investment advice, financial guidance, or legal counsel. All data, statistics, and third-party quotations are sourced from publicly available and verifiable sources; while every effort has been made to ensure accuracy, MEXC assumes no liability for decisions made based on this content. Cryptocurrency markets are highly volatile and carry substantial risk. Please conduct your own due diligence and consult a qualified financial professional before making any investment decisions.

About the Author

The MEXC Crypto Pulse Team is the in-house content and research division of MEXC, one of the world's leading cryptocurrency exchanges. The team specializes in blockchain security analysis, crypto regulatory developments, market intelligence, and macroeconomic research within the digital asset space. With years of direct industry experience and ongoing collaboration with on-chain analytics providers, the team is committed to delivering accurate, timely, and substantive content for the global crypto community.

Sources

The Bybit Hack: Following North Korea's Largest Exploit — TRM Labs

Officials accuse North Korea's Lazarus of $30 million theft from crypto exchange — The Record, Recorded Future News

Crypto analysts stunned by Lazarus Group's capabilities in $1.46B Bybit theft — CyberScoop

Inside Lazarus Group: Analyzing North Korea's Most Dangerous Hacking Organization — Hacken.io

Report: North Korean hackers stole a record $2.02B in crypto in 2025 — UPI

The Lazarus Group Playbook: Inside North Korea's $6.75B All-Time Crypto Theft Operation — BlockEden.xyz

FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist — Picus Security

Lazarus Group — Wikipedia

North Korean crypto hacks escalate in record year of theft and laundering — The Block

Warren, Reed Press Treasury and DOJ on North Korea's $1.5 Billion Crypto Heist — U.S. Senator Jack Reed

Why North Korea keeps stealing billions in crypto — out in the open — CoinDesk

Treasury Sanctions DPRK Bankers and Institutions Involved in Laundering Cybercrime Proceeds — U.S. Department of the Treasury

The DPRK's Violation and Evasion of UN Sanctions Through Cyber and IT Worker Activities — UN Multilateral Sanctions Monitoring Team (via Japan MOFA)

North Korea hackers stole crypto to fund nuclear program: TRM, Chainalysis — CNBC

Crypto North Korea: Blurring the Line Between a Traditional and Non-Traditional Security Threat — Pacific Forum

Want the fastest access to MEXC's latest updates? Join our official Telegram group now!

MEXC Platform: Download App | Zero Fee Trading | Buy USDT Now

Join MEXC Community: X (Twitter) | Telegram | Discord

Get Insights: MEXC Learn | Terms of Service | MEXC Blog | MEXC News

Account Verification: Understand KYC | How to Complete KYC

External Content Platforms: Substack | Medium | Paragraph | LinkedIn | X(News)

Market Opportunity

Humanity Price(H)

$0.09509

$0.09509$0.09509

+1.59%

USD

Humanity (H) Live Price Chart

Description:Crypto Pulse is powered by AI and public sources to bring you the hottest token trends instantly. For expert insights and in-depth analysis, visit MEXC Learn.

The articles shared on this page are sourced from public platforms and are provided for informational purposes only. They do not necessarily represent the views of MEXC. All rights remain with the original authors. If you believe any content infringes upon third-party rights, please contact service@support.mexc.com for prompt removal.

MEXC does not guarantee the accuracy, completeness, or timeliness of any content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be interpreted as a recommendation or endorsement by MEXC.