The Human Weak Point: How North Korean Hackers Stole Over $2 Billion in Crypto in 2025

A Record-Breaking Year for Digital Heists

The world of cryptocurrency has been rocked by an unprecedented wave of cybercrime in 2025. According to a startling report from blockchain analytics firm Elliptic, state-sponsored hackers from North Korea have already siphoned off more than $2 billion in digital assets this year alone. This staggering figure not only sets a new, grim record but also highlights a dangerous evolution in the tactics used to compromise the crypto ecosystem.

While a single, massive attack on the Bybit exchange in February accounted for a significant portion of the losses—a whopping $1.46 billion—Elliptic has attributed over thirty additional hacks to North Korean actors. Worryingly, the firm suggests the true total could be even higher, with many attacks going unreported or lacking the definitive evidence needed for official attribution.

A Tactical Shift: From Exploiting Code to Exploiting People

For years, the primary fear in the crypto space was a technical one: a bug in a smart contract or a flaw in a protocol’s code. However, the 2025 heists reveal a profound shift in strategy. Attackers are now focusing their efforts on the most vulnerable part of any security system: the human element.

Most of the recent successful attacks have relied on sophisticated social engineering rather than technical exploits. As Elliptic notes, this change underscores that “the weak point in cryptocurrency security is increasingly human, rather than technical.” Hackers are moving away from brute-forcing code and are instead masterfully manipulating people.

The New Prime Targets: High-Net-Worth Individuals

While exchanges remain a lucrative target, North Korean hackers are increasingly setting their sights on high-net-worth individuals. As crypto prices, including Bitcoin, have reached new all-time highs, wealthy investors have become walking bullseyes. Their personal security measures are often far less robust than the multi-layered defenses of a major corporation, making them easier prey.

Attackers often target individuals based on their professional connections, using them as a gateway to even larger corporate treasuries. By impersonating recruiters or venture capitalists, they build trust with employees at crypto firms, compromise their personal accounts, and then pivot to attack the company’s systems.

Inside the Social Engineering Playbook

The methods used to deceive targets are becoming more elaborate and harder to detect with traditional cybersecurity tools. These are not simple phishing emails; they are carefully orchestrated campaigns.

The Deceptive Video Call

One of the most effective tactics involves setting up fake video calls. Hackers will pose as investors or potential collaborators, often using compromised or meticulously faked social media profiles to appear legitimate. During the call, they will invent a technical “error” that requires the target to run a snippet of code via the command line to fix it. This code, however, is a Trojan horse that installs malware, giving the attackers control over the victim’s machine, private keys, and any administrative access they may have.

The Malicious “Skills Test” for Developers

Developers are also a key target. A common ploy involves a fake, but highly convincing, job offer. As part of the hiring process, the developer is asked to complete a “skills test” which requires cloning a code repository from a platform like GitHub. Hidden within this repository is malicious code that, once executed, compromises their system and steals their credentials and assets.

Following the Money: Funding a Rogue State

These stolen funds are not just for personal enrichment. The billions of dollars in cryptocurrency represent a critical financial lifeline for North Korea’s heavily sanctioned and isolated economy. It is widely believed that this illicit income is used to directly fund the nation’s nuclear weapons and ballistic missile programs, turning crypto exchange hacks into a matter of international security.

The Long Game: Infiltrating Companies as IT Workers

Beyond direct theft, North Korea is playing a long game through a program of “clandestine IT workers.” State-sponsored operatives with technical skills are actively seeking and obtaining remote employment at companies around the world. Recent research shows they are expanding their targets beyond crypto and tech firms to include AI, FinTech, healthcare, and even government organizations across the US, Middle East, and Australia.

These operatives serve a dual purpose: they earn a steady salary that is sent back to the regime, and more importantly, they gain insider access to sensitive networks and proprietary data. This allows them to conduct reconnaissance and exfiltrate information for future ransomware attacks long after their employment ends.

How to Protect Yourself in the New Era of Crypto Threats

As attackers focus on human psychology, personal vigilance has become the most critical line of defense. Here are a few key steps to protect yourself and your assets:

• Practice Zero-Trust: Be deeply skeptical of any unsolicited contact, whether it’s a job offer, an investment opportunity, or a collaboration request.
• Verify, Then Trust: Always verify the identity of the person you are communicating with through a separate, confirmed channel. A quick search or a separate email to their official company address can uncover a fraud.
• Never Run Unvetted Code: Do not run command-line scripts or download software from sources you do not trust 100%. A supposed “fix” for a video call is a massive red flag.
• Enhance Organizational Security: Companies must invest in continuous training for employees on identifying and reporting social engineering attempts. The human firewall is more important than ever.

The landscape of crypto security is constantly changing. As hackers prove they can bypass technical walls by simply knocking on the human door, our awareness and skepticism are our most valuable assets.