$2 Billion in 2025, $6 Billion Total Stolen Crypto for North Korean Hackers as Focus Shifts to Individuals

The leading threat to the crypto economy has been North Korean hackers for several years now, and they are only proving to become more sophisticated and dangerous over time. A new report from Elliptic warns that though they are still seeing their biggest gains from attacking crypto exchanges, high net worth individuals and smaller organizations now have to worry about stolen crypto.

Stolen crypto vital for North Korea’s illicit programs, operations expand to new targets

The majority of the $2 billion stolen thus far came from crypto exchange Bybit, which was hit for $1.46 billion in February. About 30 more recorded incidents this year make up the difference of a little over half a billion dollars, though the Elliptic researchers warn there are likely more unreported and unattributed instances out there.

North Korea is pouring massive resources into acquiring stolen crypto because of the return it gets; over 10% of its total annual GDP at this point, based on estimates made by the UN. Nearly all of that money is thought to be plowed straight into its weapons and nuclear programs, which the rogue state has extremely limited funding alternatives for.

While the North Korean hackers are putting up bigger numbers than ever attacking crypto exchanges and platforms this year, the Elliptic researchers warn that they are also aggressively expanding into targeting individuals and smaller organizations sitting on large amounts of funds. That is a very concerning development given that Lazarus Group and its other leading teams are among the most advanced attackers in the world, and have shown a broad array of creative means of breaching targets while being protected by a government shield that most run-of-the-mill criminals do not enjoy.

The North Korean hackers tend to take two different approaches to stolen crypto, depending on the target: social engineering for individuals and smaller fish, and aggressively seeking out technical vulnerabilities for the exchanges and platforms. But this is not to say they do not mix and match their approaches at times. One of their larger platform breaches this year, the attack on WOO X, involved fairly standard phishing. And North Korea’s former record-holding crypto theft, the 2022 attack on the Ronin bridge, was pulled off by baiting an admin into a complex staged job interview.

On the other side of this, the North Korean hackers have been aggressively deploying a new form of Mac-focused malware called “NimDoor” that can penetrate Apple’s built-in defenses and is ideal for poaching individual targets. The malware sneaks through defenses due to its origin in the rather obscure Nim programming language, and allows the hackers to impersonate legitimate contacts on messaging apps that are in turn used to pass fake Zoom updates.

Sophisticated laundering by North Korean hackers makes recovery extremely unlikely

In addition to improving their attack capability and broadening their range of targets, the North Korean hackers have a much improved laundering system in place that can put stolen crypto permanently beyond reach within just a couple of hours. The hackers have a massive network of wallets and make quick use of exchanges and mixers to move and muddle funds, starting from immediate conversion to Bitcoin or Ether to thwart attempts to freeze wallets immediately upon a breach being noticed.

Key takeaways from this report are that individuals and small businesses must be on heightened alert for targeted campaigns from the likes of highly advanced thieves like Lazarus Group, attacks which will likely involve extensive reconnaissance to determine best social engineering approaches and any technical weaknesses that can be exploited. Mac and Apple devices also cannot be automatically assumed to be hardened against malware, as NimDoor demonstrates as part of a broader trend (with some sources seeing a nearly 500% surge in incidents since 2023). And even small businesses that hold substantial amounts of crypto would be well served to prepare their defenses for common tactics used by Lazarus and ensure key employees are educated on approaches such as fake software updates and job offers.