North Korean operatives had a field day in 2025.

Hackers from the Democratic People’s Republic of Korea managed to steal more than $2 billion in crypto this year.

That’s a staggering 51% year-over-year uptick, according to a new report from blockchain surveillance firm Chainalysis.

The haul pushes North Korea’s cumulative proceeds from crypto theft to $6.7 billion since it began targeting the industry in 2016.

This year was marked by a shift in North Korea’s criminal strategy, which has led to 74% fewer attacks – but much larger thefts.

“When North Korean hackers strike, they target large services and aim for maximum impact,” Chainalysis wrote in its year-end report.

Instead of external hacks, DPRK operatives are embedding IT workers inside crypto companies to gain privileged access and execute massive heists.

Fewer attacks, bigger hauls

North Korea’s strategy has changed — now it’s go big or go home.

The average North Korean hack now steals amounts that dwarf what typical cybercriminals manage.

Here’s how extreme it’s gotten. The biggest North Korean hack in 2025 was 1,000 times larger than the typical crypto hack, according to Chainalysis. It’s the difference between a bank robbery that bags $1,000 and one that bags $1 million.

For example, the Bybit hack alone — which North Korean operatives executed in February — netted a staggering $1.5 billion. That single theft amounted to three-quarters of North Korea’s entire $2 billion haul for the year.

And while other hackers are pulling off dozens of small thefts from DeFi protocols and individual wallets, hackers from North Korea are focused on infiltrating major exchanges and custodial platforms, where the big money really sits.

In 2025, North Korean actors were responsible for 76% of all major exchange and platform hacks — the highest share ever recorded.

And the problem is far worse than most realise.

“North Korea is much worse than everybody thinks,” Pablo Sabbatella, a member of the cyber investigation organisation SEAL, told DL News in November.

“Between 30% and 40% of job applications received by crypto companies are North Korean operatives trying to infiltrate these organisations.”

Flipping the playbook

According to Chainalysis, North Korean operatives are now inverting the IT worker model entirely.

Instead of applying for jobs, they’re impersonating recruiters for prominent crypto and AI firms, orchestrating fake hiring processes designed to harvest credentials, source code, and VPN access from victims’ current employers.

These recruiters reach individuals worldwide through freelance platforms like Upwork and Freelancer.

The modus operandi is elementary.

An individual either loans his verified account credentials or simply allows a North Korean hacker to use his identity remotely. In exchange, the collaborator gets 20% of earnings, while the operative keeps 80%.

“At the executive level, a similar social-engineering playbook appears in the form of bogus outreach from purported strategic investors or acquirers,” Chainalysis wrote.

For Chris Wong, a former FBI agent and North Korea expert now at crypto intelligence firm TRM Labs, the situation goes beyond a simple cybersecurity challenge.

“North Korea’s crypto theft activity is a sanctions, national security, and financial crime issue, and countering it requires real-time intelligence, operational disruption, and sustained cross-border coordination,” Wong said in comments shared with DL News.

Pedro Solimano is DL News’ Buenos Aires-based markets correspondent. Got a tip? Email him at psolimano@dlnews.com.