North Korea–linked hackers made off with roughly $2.06 billion of the $3.4 billion lost in cryptocurrency theft last year, according to a report from blockchain security firm CertiK released this week. The report describes Pyongyang’s crypto theft apparatus as 'industrialized' and details how the group has evolved from simple phishing campaigns to physically infiltrating targets.
The 2025 tally
The $2.06 billion figure means North Korean state-backed groups accounted for more than 60% of all crypto stolen in 2025. Total industry losses from hacks reached $3.4 billion, making last year one of the worst on record for digital-asset crime. CertiK’s analysis puts the scale of the state-backed operation into sharp relief: one country’s hackers are responsible for the vast majority of the damage.
From phishing to physical infiltration
CertiK’s report traces the evolution of North Korea’s methods. Early operations relied heavily on spear-phishing emails and social engineering to trick employees into handing over private keys or credentials. But the group has since added physical infiltration to its toolkit — sending operatives to pose as job seekers, contractors or even service technicians to gain direct access to target networks. The shift reflects a broader professionalization of the theft apparatus, with the regime treating crypto heists as a reliable revenue stream.
Laundering billions
The report also highlights the laundering operation that follows the thefts. North Korea has moved billions of dollars through a series of mixing services, cross-chain bridges and over-the-counter desks, making it difficult for law enforcement to trace and freeze the funds. CertiK describes the laundering as equally industrialized, with dedicated teams responsible for obfuscating the trail. The scale of the operation means that even when wallets are identified, recovering the assets remains a long shot.
The findings come as regulators and exchanges continue to tighten security, but the sheer volume stolen last year shows the challenge is far from solved. With North Korea now willing to deploy people on the ground, the threat has moved beyond firewalls and two-factor authentication.
