Report: North Korea Has Stolen Nearly $3B in Crypto So Far This Year

North Korea-linked hackers have stolen a massive US$2.84 billion (AU$4.54 billion) in crypto since January 2024, according to a report from the UN-mandated Multilateral Sanctions Monitoring Team (MSMT), in collaboration with Chainalysis.

For 2025 alone, the MSMT estimates at least US$1.65 billion (AU$2.64 billion) taken between January and September, much of it tied to February’s Bybit breach attributed by the FBI to DPRK operators, which netted roughly US$1.5 billion (AU$2.40 billion) and is the largest known crypto hack.

The MSMT also details an expanding overseas IT-labor program that violates UN Security Council Resolutions 2375 and 2397. North Korean contractors have worked in at least eight countries, including China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria and Tanzania. 

The report cites 1,000–1,500 DPRK workers based in China and planning for up to 40,000 to be sent to Russia, with wages remitted to Pyongyang.

While North Korea-linked hackers represent a significant threat, law enforcement, national security agencies and private sectors’ ability to identify associated risks and fight back is growing.

Andrew Fierman, Head of National Security Intelligence at Chainalysis.

Related: North Korean Operatives Exposed in $680K Crypto Heist on Favrr

Put AI Into The Equation

Researchers say the threat profile has shifted with AI. Mysten Labs co-founder and chief cryptographer, Kostas “Kryptos” Chalkias, told CoinDesk that DPRK units now deploy large language models across the intrusion lifecycle, from reconnaissance and phishing to code analysis and laundering.

He called LLMs a more immediate risk to the industry than hypothetical quantum attacks. 

AI is the best tool I’ve ever had as a white-hat hacker, and you can imagine what happens when it’s in the wrong hands.

Kostas Chalkias, Cryptographer and Co-Founder at Mysten Labs

Basically, North Korean operators are applying large language models to scan codebases for exploitable flaws at speed, reuse prior exploit playbooks across new targets, and automate intrusion steps that previously required an entire staff (even hackers are getting laid off).

The same tooling accelerates social-engineering, from crafting convincing recruiter and vendor personas to producing high-yield phishing campaigns, and extends into post-theft choreography by scripting complex laundering paths across chains and services.

Related: Analysts Say Gold’s Hot Streak Might Actually be Bullish for Bitcoin