North Korea crypto theft surges as Elliptic reports $2B in 2025

North Korea crypto theft has surged: Elliptic reported more than $2 billion stolen in 2025 and about $6 billion since 2017, figures described as alleged totals in some accounts.

Bybit exchange hack and 2025 totals

On 10 February 2025, Bybit disclosed a major security breach that initial reports put at roughly $1.46 billion. Subsequent on-chain analysis by blockchain forensics teams suggested a higher overall toll for 2025. In particular, Elliptic’s work underpins the headline figure. See our coverage of the Bybit exchange hack and the wider Elliptic findings at Elliptic report 2025.

Lazarus Group involvement and attribution

Analysts have raised concerns about links to the Lazarus collective. However, attribution in such cases remains cautious and conditional. Authorities continue to cross-check malware indicators, wallet clusters, and historical tradecraft. For deeper context, read our Lazarus Group involvement analysis.

Cross-chain swap tracing and crypto laundering techniques

Investigators observed extensive use of cross-chain swaps, wrapped tokens, and obscure protocols to obscure flows. Nevertheless, public ledgers allow persistent investigators to follow patterns. In practice, analysts use clustering heuristics and bridge mapping to reconstruct pathways. These methods expose portions of stolen funds as still traceable, despite complex layering.

How laundering networks operate

The laundering process typically fragments funds into many addresses. Then, actors move value across chains and through decentralized platforms. Finally, they return value through on-ramps or self-issued tokens. As a result, the trail often requires multi-party cooperation to interrupt.

Crypto social engineering attacks and high net worth targets

Security teams note a marked shift toward social engineering. Attackers now prefer deception over pure code exploits. They use phishing, fake job offers, and compromised social accounts to gain access. Consequently, high net worth targets and company executives have become prime victims. Wealthy holders sometimes lack enterprise-grade controls, making a single compromise costly.

Why people are the weak link

Human error remains the simplest vector. Phishing remains effective. So do impersonation campaigns that mimic legal or corporate requests. Therefore, behavioural controls are now as important as cryptographic protections.

Forensic findings and the role of blockchain forensics Elliptic report

Elliptic and other firms combine on-chain tracing with intelligence leads to attribute flows. Their analyses flagged the scale and cadence of moves after major incidents. Moreover, Elliptic emphasised that sustained, multi-party tracing capacity is required to follow complex laundering. For Elliptic’s own published research, see Elliptic.

As Elliptic noted, “the scale of illicit flows into crypto requires sustained, multi-party tracing capacity,” underscoring the need for cooperation across public and private actors. Meanwhile, investigative reporting has stressed that realistic drills and transparent post-incident reporting are central to restoring market confidence. As CoinDesk observed, such practices build trust after a breach.

Industry response and practical steps

Exchanges and custodians have begun hardening controls. Measures include stricter KYC, enhanced transaction monitoring, and bridge oversight. In addition, multi-signature custody and transaction delay policies help reduce single-point failures.

We run regular table-top drills and maintain standing forensic partnerships to shorten response times and preserve evidence. We prioritise live-wallet monitoring and coordinated takedown requests with exchanges and law enforcement. Consequently, these steps improve the odds of partial recovery and faster disruption of laundering chains.

• Multi-signature custody: limits single-key compromise.
• Transaction delays: allow human review for large transfers.
• On-chain monitoring: flags abnormal bridging or mixer interactions.

Implications for investors and the market

Large thefts of this kind reshape trust in liquidity venues and cross-chain infrastructure. Market participants may demand stronger assurances before committing capital. Therefore, institutional adoption could slow until risk controls are demonstrably effective.

Regulators are already considering tighter rules on beneficiary disclosure and bridge operations. Coordinated action can also force centralized points to block suspect flows quickly. However, history shows attackers will adapt, so defenders must continually update practices.

Conclusion

The 2025 surge reported by Elliptic highlights a strategic shift: attackers increasingly blend technical skills with social and financial engineering. While many flows remain traceable, stopping laundering requires rapid cooperation across firms and jurisdictions. Ultimately, richer forensic capacity, routine training, and transparent incident response will be crucial to protect users and restore confidence.