From January to December 2025, hackers stole $3.4 billion from the cryptocurrency sector alone, with more than $2 billion attributed, according to Western estimates, to groups from North Korea. In just a few years, alleged North Korean hackers have moved from objects of ridicule to the pinnacle of the global cyber threat, developing a sophisticated arsenal that combines social engineering, phishing, malware, and targeted attacks.
The most striking case was the attack on the Bybit exchange in February 2025, when approximately $1.4 billion in crypto vanished. The perpetrators exploited a breach linked to Safe{Wallet} and, through a forged interface, managed to trick company executives into approving the transfer of wallet control. The FBI attributed the attack to North Korea, estimating that the stolen funds were immediately dispersed across thousands of addresses for money laundering.
The same or similar tactics have been identified in other major attacks, such as WazirX in 2024. A central role is attributed to the well-known Lazarus Group, as well as Kimsuky, APT37, and APT38. These groups reportedly target mainly software, fintech, and blockchain companies, often posing as recruiters or job candidates. In this way, they install malware on victims' devices, in a method experts ironically call the "infected interview."
The picture regarding the origin and structure of these groups remains blurry. Much information comes from South Korean sources, Western intelligence agencies, and North Korean defectors, whose testimonies are often questioned as difficult to verify. Nevertheless, many analysts now consider it almost certain that Pyongyang has systematically invested in developing cyber forces, recruiting talented youth and utilizing them for both espionage and economic warfare.
The first attacks attributed to North Korea in the early 2000s were relatively crude; however, over time, these capabilities evolved. The most famous cases include the attack on Sony Pictures in 2014, the theft from the Central Bank of Bangladesh in 2016, and the global WannaCry ransomware attack in 2017. Especially after 2017, the international community began to treat North Korea not just as a source of cyber-interference, but as one of the most aggressive and effective players in digital warfare.
In recent years, the primary target appears to be cryptocurrencies. From Bithumb and Youbit to the Ronin Network and Bybit, the attacks yield massive sums which, according to US and international estimates, may be used to fund the country's missile and weapons of mass destruction programs. Thus, North Korea has reportedly turned hacking into one of the core mechanisms for survival and the enhancement of its state power.
Despite the lingering doubts surrounding the precise attribution of every attack, the general picture is clear: North Korean hackers have evolved from a disputed threat into one of the most significant factors in international cybercrime. And if the same trend continues, Pyongyang could evolve not only into a nuclear power, but also into a shadow crypto superpower.
www.bankingnews.gr
Readers’ Comments