Alleged North Korea’s 2025 Crypto Heists: From Exchange Hacks to Weapons Funding

On August 7, 2025, the US Department of Justice convicted Tornado Cash co-founder Roman Storm for running an unlicensed money transmission business. The case, seen as a crackdown on crypto mixing infrastructure, directly affects hacker groups’ laundering networks.

Weeks later, on August 26, the FBI confirmed that the Lazarus Group was behind the $1.5 billion Bybit hack — the most significant theft in crypto history.

“North Korean Hacks” Stretch Across Global Markets

Why Important
The Bybit breach and the Tornado Cash verdict highlight how cybercrime and regulation collide. For investors and exchanges, this is not just about stolen assets — it is about rising compliance costs, tighter oversight, and the perception that crypto has moved from a financial risk to a national security issue.

Latest Update
The FBI’s confirmation of the Bybit theft and the DOJ’s conviction of Tornado Cash’s co-founder mark a turning point. Authorities now pursue both the hackers and the infrastructure that launders their proceeds. Moreover, regulators signal that enforcement will broaden to cover perpetrators and enablers across the industry.

Background Context
Since 2017, the Lazarus Group, an unknown hacker group alleged to be run by the North Korean government, has targeted banks and crypto exchanges to generate funds. The narrative of its origin stems from the fact that, because international sanctions restricted trade, Pyongyang pivoted to cyber theft. By 2025, the pace accelerated, with attacks spanning Asia, the US, and Europe. At the same time, global law enforcement struggled to keep up with the speed of attacks.

A Year of Escalation

Deeper Analysis
The wave began in May, when Taiwan’s BitoPro exchange lost about $11.5 million. In June, the DOJ filed a forfeiture action to seize $7.74 million linked to laundering schemes. Later that month, four North Korean nationals were indicted in Georgia for infiltrating US firms as IT contractors, stealing nearly $900,000. Meanwhile, investigators noted this was part of a broader pattern rather than isolated cases.

A TRM Labs report estimated North Korea stole $1.6 billion in the first half of 2025, accounting for about 70 percent of global crypto crime. In June, the Financial Action Task Force warned that North Korea posed the most severe state-based threat to the integrity of crypto markets. Beyond that, regulators worldwide began reviewing licensing frameworks more aggressively.

“With over $2.17 billion stolen from cryptocurrency services so far in 2025, this year is more devastating than the entirety of 2024. The DPRK’s $1.5 billion hack of Bybit, the largest single hack in crypto history, accounts for the majority of service losses.” — Chainalysis

Hidden Tactics Exposed

Behind Scenes
A Wired investigation revealed over 1,000 email accounts linked to North Korean IT workers employed remotely by Western companies. Salaries moved into crypto wallets, then laundered through mixers and cross-chain swaps. This “dual strategy” — steady inflows from IT jobs plus windfalls from exchange hacks — provides Pyongyang with durable funding streams. Moreover, experts observed that this combination allows the regime to balance reliable income with occasional billion-dollar windfalls.

North Korean operatives have also upgraded their toolkit. As BeInCrypto reported, they now combine advanced social engineering with zero-day exploits. Consequently, their success rates rise even against platforms once considered secure.

Wider Impact
These incidents have shaken confidence in the industry. European exchanges report higher compliance costs, while South Korea has expanded blockchain forensics. The FATF warning pushed several governments to tighten licensing frameworks. Consequently, oversight has shifted from a financial lens to a security one — a change that directly impacts investors and platforms alike.

Military Diversion Risks and Policy Reactions

Essential Facts
• North Korea stole $1.6 billion in H1 2025 (TRM Labs).
• The Bybit hack alone cost $1.5 billion (FBI).
• BitoPro lost $11.5 million (Yahoo citing BitoPro).
• DOJ filed a $7.74 million forfeiture action (DOJ).
• Four nationals indicted for $900,000 thefts (DOJ).
• UN monitors reported that cyber proceeds fund weapons programs.

Looking Forward
Officials warn that Pyongyang is testing decentralized finance and privacy coins. Consequently, analysts expect new sanctions on mixers, custodial wallets, and liquidity pools. Without coordination, enforcement gaps will widen, leaving investors exposed.

Data Breakdown

From Past Heists to Today’s Dominance

Between 2017 and 2022, UN panels estimated that Pyongyang, including the Lazarus Group, generated about $2 billion through cyber theft. By 2024, North Korea represented nearly one-third of global crypto crime. By 2025, its dominance expanded dramatically, driving most major heists. Moreover, the shift from opportunistic hacks to systematic campaigns shows the regime’s growing sophistication.

Possible Risks
Sanctions may tighten, but peer-to-peer transactions in emerging economies create blind spots. Consequently, DPRK will likely pivot to decentralized corridors. This implies sustained liquidity risks, higher regulatory costs, and potential sudden market restrictions for investors.

Expert Opinions

“Cybercriminal activities generate about half of North Korea’s foreign currency income and are used to fund its weapons programs.”

— UN sanctions report, June 2025

“These funds enable DPRK’s malign activities worldwide, undermining sanctions and fueling proliferation.”

— US Department of Justice

“The Lazarus Group’s strategy has evolved from opportunistic hacks to structured, state-backed funding operations, making them harder to disrupt.”

— TRM Labs analyst