Full Report
For the second year in a row, North Korea’s vast cryptocurrency hacking operation has broken its own record, stealing $2.02 billion in 2025, new research says. A report published Thursday by the blockchain watchdog company Chainalysis found that North Korea broke its own record of $1.3 billion in hacked and stolen crypto like bitcoin and ethereum. That…
Analysis Summary
# Threat Actor: North Korea (State-Sponsored Cyber Operations)
## Attribution & Identity
**Attribution:** North Korea (Democratic People's Republic of Korea - DPRK).
**Known Aliases/Associated Groups:** Explicitly linked to North Korea’s elite government hacking squad, identified specifically as the **Lazarus Group** by the U.S. Secret Service.
## Activity Summary
North Korea's cryptocurrency hacking operation achieved a record high in 2025, stealing **$2.02 billion** in illicit cryptocurrency, surpassing the previous year's record of $1.3 billion. This theft contributes to an estimated total of $6.75 billion stolen by the nation to date.
A significant event contributing to the 2025 total was the **hack of the Dubai-based cryptocurrency exchange Bybit** in February 2025, from which approximately **$1.5 billion** (mostly in Ethereum) was stolen.
## Tactics, Techniques & Procedures
The specific TTPs related to the *method* of the compromise are not detailed beyond the fact that they involve cryptocurrency hacking and theft.
- **Specific TTPs Mentioned:** Hacking and stealing cryptocurrency (e.g., Bitcoin and Ethereum).
- **Laundering/Movement:** The U.S. Secret Service alert suggests the Lazarus Group is currently laundering large sums, including proceeds from the Bybit hack, through services like **Kruw.io**. (Note: Specific attack vector TTPs are absent; TTPs focus on *financial outcome* and *post-theft movement*).
- **MITRE ATT&CK IDs:** None provided in the text.
## Targeting
- **Sectors:** Cryptocurrency exchanges (Financial Technology/DeFi).
- **Geography:** The primary victim mentioned is a **Dubai-based** cryptocurrency exchange (Bybit).
- **Victims:**
- **Bybit** (Dubai-based cryptocurrency exchange).
## Tools & Infrastructure
- **Malware Families Used:** Not specified.
- **Infrastructure (C2, domains, IPs):** The laundering service **Kruw.io** is mentioned in relation to the movement of stolen funds resulting from the $1.5 billion Bybit hack. (Note: No traditional C2 domains or IPs were provided.)
## Implications
North Korea continues to rely heavily on sophisticated, large-scale crypto theft as a critical source of state funding, consistently breaking previous records ($2.02B in 2025 vs $1.3B in 2024). The massive scale of single incidents, such as the $1.5B Bybit hack, indicates continued dominance and increasing capability in targeting the global digital asset ecosystem.
## Mitigations
- Specific, actionable defensive recommendations against the *intrusion methods* were not provided in the text.
- **Financial/Post-Compromise Mitigation Guidance (Based on context):**
- Due diligence and monitoring of cryptocurrency mixing/laundering services like **Kruw.io** that are associated with known DPRK state-sponsored elements.
- Enhanced security controls and monitoring for cryptocurrency exchanges, especially those handling large volumes of assets like Ethereum.