Full Report
ByBit attack doing some seriously heavy lifting North Korea's yearly cryptocurrency thefts have accelerated, with Kim's state-backed cybercriminals plundering just over $2 billion worth of tokens in 2025.…
Analysis Summary
# Threat Actor: North Korean State-Backed Cybercriminals (DPRK Actors)
## Attribution & Identity
* **Identification:** State-backed cybercriminals attributed to North Korea (DPRK).
* **Known Aliases/Associations:** Referred to generally as "Kim's state-backed cybercriminals" and "DPRK-affiliated actors."
## Activity Summary
The activity summary focuses on a record-breaking year (2025) for cryptocurrency theft perpetrated by these actors:
* **Record Theft Value:** Plundered just over **$2 billion** worth of tokens in 2025, a 51% year-on-year increase.
* **Dominance:** Accounted for a record **76% of all service compromises** globally in 2025.
* **Efficiency:** Achieved this record value with **74% fewer known attacks**, suggesting higher-impact operations.
* **Key Incident:** A "ByBit-scale incident" is cited as an example of a high-impact operation.
* **Shift in Focus (2025):** Increased targeting of **personal wallets**, accounting for 44% of the total value stolen (up from 7.3% in 2022). A major influencing factor was a February incident netting around $1.5 billion.
* **Historical Context:** Cemented their status as the dominant force, taking total estimated raids since tracking began to **$6.75 billion**.
* **Decline in DeFi Raids:** Activity suggests a shift away from exploiting Decentralized Finance (DeFi) protocols, as security standards appear to be improving in that sector.
## Tactics, Techniques & Procedures
* **Centralized Service Compromise:** Responsible for a record 76% of attacks on centralized services, utilizing **private key compromises**.
* **Social Engineering (IT Worker Model Evolution):**
* **Infiltration:** Continuing attempts to embed skilled individuals into cryptocurrency services companies.
* **Recruiter Posing:** Shifting focus to posing as **recruiters** for crypto and Web3 businesses.
* **Technical Screening Exploitation:** Conducting fake technical screenings to **steal credentials and source code**, securing remote access into current employers' networks.
* **Social Engineering (Executive Level):**
* **Bogus Outreach:** Using **bogus outreach from purported strategic investors or acquirers**.
* **Pseudo Due Diligence:** Employing pitch meetings and pseudo–due diligence to probe for sensitive systems information and access paths into high-value infrastructure.
* **Targeting Personal Wallets:** Mass targeting of individual wallets (158,000 attacks affecting 80,000 unique individuals).
## Targeting
* **Sectors:** Cryptocurrency services (centralized exchanges/services), Web3 businesses, AI companies (implied strategic interest).
* **Geography:** Global (specific geography of targets not detailed, but high-value infrastructure is the focus).
* **Victims:**
* **ByBit** (Implied involvement in a major platform compromise).
* **Personal/Individual Wallets:** Targeted 80,000 unique individuals.
* **Solana-connected wallets:** Accounted for 26,500 victims.
## Tools & Infrastructure
* *No specific malware names, URLs, or IPs were mentioned in the provided text.*
## Implications
* The DPRK is achieving greater financial impact with fewer, more sophisticated attacks, suggesting increasing operational maturity and focus on high-value targets.
* The shift towards infiltrating IT staff recruitment pipelines and targeting executives via social engineering represents a significant evolution in their espionage and financial theft methodologies, moving beyond direct smart contract exploits.
* The challenge for 2026 will be detecting these high-impact operations before they cause another "Bybit-scale incident."
## Mitigations
* Improve security posture around centralized cryptocurrency services, focusing on preventing private key compromise.
* Establish rigorous vetting and technical screening processes for all potential IT hires, particularly those involved in sensitive roles within Web3 companies, to counter the recruiter/fake worker social engineering tactics.
* Implement enhanced scrutiny and verification protocols for unsolicited outreach from purported strategic investors or acquirers performing "due diligence."
* Focus security resources on defending perimeter access and credentials stemming from remote work access granted to new employees or contractors.