20251218-thehackernews.com-77b44 | Perceptive Security

< Back to index

North Korea-Linked Hackers Steal $2.02 Billion in 2025, Leading Global Crypto Theft

Published:

18 December 2025 at 01:00:00

Alert date:

18 December 2025 at 12:01:35

Source:

thehackernews.com

Data Breach & Exfiltration, Ransomware & Malware, Critical Infrastructure

North Korea-linked threat actors stole $2.02 billion in cryptocurrency during 2025, representing a significant portion of the global $3.4 billion in crypto theft from January through early December. This marks a 51% year-over-year increase and $681 million more than their 2024 theft totals. The DPRK-affiliated hackers continue to be the leading force behind global cryptocurrency theft operations, demonstrating sophisticated capabilities in targeting digital assets. This large-scale theft campaign represents ongoing state-sponsored cybercriminal activity aimed at funding North Korean operations through cryptocurrency theft.

Technical details

North Korea-linked hackers stole $2.02 billion in cryptocurrency in 2025, representing a 51% increase from 2024's $1.3 billion. The attacks follow a structured, multi-wave laundering pathway over 45 days: Wave 1 (Days 0-5) involves immediate layering using DeFi protocols and mixing services; Wave 2 (Days 6-10) shifts funds to exchanges and cross-chain bridges; Wave 3 (Days 20-45) involves final integration through services facilitating fiat conversion. Stolen funds are routed through Chinese-language money movement services, cross-chain bridges, mixers, and specialized marketplaces like Huione. The actors use two main approaches: direct attacks on crypto exchanges and embedding IT workers in companies under false pretenses through front companies.

Mitigation steps:

Organizations should implement enhanced verification processes for remote IT workers, monitor for fraudulent identity usage, be cautious of recruiters on platforms like Upwork and Freelancer requesting credential sharing, avoid installing remote-access tools like AnyDesk or Chrome Remote Desktop from unknown parties, implement robust security measures for cryptocurrency exchanges and wallets, monitor for suspicious financial transactions following the described laundering patterns, and be aware of social engineering attacks through LinkedIn and WhatsApp offering lucrative job opportunities.

Affected products:

Bybit cryptocurrency exchange
Upbit cryptocurrency exchange
SafeWallet
Federal Aviation Administration (FAA) systems

Related links:

Related CVE's:

Related threat actors:

Reconnaissance General Bureau (RGB)

IOC's:

trevorgreer9312@gmail.com, Lumma Stealer malware, BURNBOOK malware, MISTPEN malware, BADCALL malware

This article was created with the assistance of AI technology by Perceptive.