- North Korea-linked cyber actors caused over $2 billion in crypto losses in 2025, a 51% year-over-year increase despite fewer attacks.
- Activity concentrated on high-value exchanges and Web3 protocols, improving efficiency per operation.
-
Reports from CrowdStrike highlight expanded use of social engineering, remote IT workers, and cross-chain laundering tools to move funds and evade tracking.
Crypto losses linked to state-affiliated groups from North Korea increased sharply in 2025, according to cybersecurity analysis from CrowdStrike. The data shows a structural shift in attack behavior, with fewer incidents but larger financial impact per breach, driven by more efficient targeting strategies. The trend reflects growing pressure on exchanges and Web3 platforms as attackers refine access methods and prioritize liquidity-rich ecosystems across the digital asset sector.
Financial services is now the 4th most targeted sector globally. The stakes? A recent supply chain compromise just caused the largest reported financial theft in history. 🚨
Read the CrowdStrike 2026 Financial Services Threat Landscape Report to uncover:
🔷 A 43% rise in… pic.twitter.com/en7yCAlfDp
— CrowdStrike (@CrowdStrike) May 14, 2026
Crypto Stolen By North Korean Hackers Rose 51% In 2025 Report Analysis
Cybersecurity firm CrowdStrike reported that state-linked actors from North Korea generated more than $2 billion in crypto-related losses during 2025, marking a 51% increase year over year. The shift reflects fewer campaigns but higher success rates per intrusion, especially against centralized exchanges and decentralized finance protocols. Researchers note that attackers increasingly rely on social engineering and fake recruitment pipelines to gain access to developer systems and internal credentials. The focus on liquidity-rich platforms allows faster conversion and cross-chain movement of stolen assets, complicating recovery efforts for compliance teams.
In parallel, intelligence findings from the Ethereum Foundation indicate that embedded operators have been identified within parts of the Web3 hiring pipeline. In one case, Drift Protocol experienced compromise linked to remote onboarding processes, while onchain investigator ZachXBT tracked related activity across multiple firms. These patterns continue evolving as infiltration techniques adapt to hiring and outsourcing workflows across the sector.
Findings From CrowdStrike Report And Web3 Exposure
CrowdStrike highlights that DPRK-linked cyber groups have expanded their operational structure through distributed contractors and intermediary networks tied to the crypto sector. This model increases resilience and allows faster adaptation to platform security upgrades. The report also notes that Web3 infrastructure remains a key entry point due to its open development ecosystems and reliance on remote contributors. The Ethereum Foundation previously identified networks of North Korea-associated individuals embedded in hiring pipelines, raising concerns about credential misuse and long-term access risks.
Security teams are increasing monitoring and verification measures across onboarding and code contribution processes to reduce exposure risks over time, especially as cyber risks targeting digital assets continue to evolve alongside improved defensive tools.