Why Are North Korean Hackers So Good at Stealing Cryptocurrency?

Ben Zhou, the boss of Dubai-based cryptocurrency exchange Bybit, recalls that February 21 was a normal day. Before going to bed, he approved a transfer of funds between company accounts, a “typical operation” for serving more than 60 million users worldwide. Half an hour later, he got a call. “Ben, something went wrong,” his chief financial officer said in a trembling voice. “We may have been hacked… All the Ethereum is gone.”

Independent investigators and the FBI quickly pointed the finger at a familiar culprit: North Korea. Hackers from the Hermit Kingdom have emerged as one of the biggest threats to the crypto industry and a vital source of revenue for the regime, helping it fend off international sanctions, control its elites and fund its missile and nuclear weapons programs.

According to data from cryptocurrency investigation firm Chainalysis, North Korean hackers stole a total of $661 million in 2023; in 2024, their theft amount doubled, stealing a total of $1.34 billion in 47 thefts, equivalent to more than 60% of the total amount of cryptocurrency stolen worldwide.

The ByBit heist illustrates the growing sophistication and ambition of hackers: In one attack, North Korea stole the equivalent of $1.5 billion from the exchange, the largest theft in cryptocurrency history.

Origins of North Korea’s Cyber ​​Forces

North Korea’s attacks are the culmination of decades of work. The country’s first computer science schools date back to at least the 1980s. The Gulf War helped the regime recognize the importance of cyber technology to modern warfare. Gifted math students were sent to special schools and exempted from annual compulsory labor in the countryside, said Thae Yong Ho, a senior North Korean diplomat who defected in 2016. North Korea’s cyber forces were originally conceived as tools of espionage and sabotage but began focusing on cybercrime in the mid-2010s. Kim Jong-un is said to have called cyber warfare an “all-purpose sword.”

Crypto Attacks and Money Laundering

Stealing cryptocurrency involves two main stages. The first is hacking into a target system — the equivalent of finding an underground passage to a bank vault. Phishing emails can insert malicious code. North Korean agents pose as recruiters to trick software developers into opening infected files during fake job interviews. Another method is to use a fake identity to get a remote IT job at a foreign company, which can be the first step to access an account. "They're very good at finding vulnerabilities through social engineering," said Andrew Fierman of Chainalysis. In the ByBit case, the hackers broke into the computer of a developer working for a digital wallet software provider.

Once stolen, the cryptocurrency must be laundered. The dirty money is spread across multiple digital wallets, mixed with clean funds, and moved between different cryptocurrencies in a process known in the industry as “coin mixing” and “chain hopping.” “They are the most sophisticated cryptocurrency launderers we have ever encountered,” said Tom Robinson of blockchain analytics firm Elliptic. Finally, the stolen funds need to be withdrawn.

A growing number of underground services, many of which are tied to organized crime, can help achieve this goal. Law enforcement intercepts and roadblocks have reduced overall revenue, but Nick Carlsen, a former FBI analyst now at blockchain intelligence firm TRM Labs, said North Korea can expect to receive “definitely 80, maybe 90 percent” of the funds it steals.

Why North Korea is so good at stealing cryptocurrency

North Korea has several advantages. One is talent. It may seem counterintuitive: The country is extremely poor, and ordinary people don’t have access to the internet or even computers. But “North Korea can pick the best talent and tell them what to do ,” said Kim Seung-joo of Korea University in Seoul. “They don’t have to worry that they will go to work for Samsung.” At the 2019 International College Student Programming Contest, a team from a North Korean university took eighth place, beating teams from Cambridge, Harvard, Oxford and Stanford.

Those talents have been put to good use. North Korean hackers work around the clock. They are unusually bold when they launch their attacks. Most state actors try to avoid diplomatic backlash and “act like they’re in Ocean’s Eleven: wear white gloves, go in quietly, steal the crown jewels, and leave quietly,” said Jenny Jun of Georgia Tech. North Korea does not “value secrecy — they’re not afraid to make a lot of noise.”

What North Korea is doing with its stolen cryptocurrencies

For the North Korean regime, stolen cryptocurrency has become a lifeline, especially as international sanctions and the coronavirus pandemic have stifled their already limited trade. Crypto theft is a more efficient way to earn hard currency than traditional sources of hard currency, such as overseas labor or illegal drugs. The monitoring body, the United Nations Panel of Experts (UNPE), reported in 2023 that cyber theft accounted for half of North Korea's foreign exchange earnings. The value of North Korea's digital theft last year was more than three times the value of its exports to China. "What a labor force of millions can acquire can be replicated by just a few dozen people," said Mr. Carlson.

These funds help prop up the North Korean regime. Hard currency is used to buy luxury goods to keep the elite in check. It is also used to build weapons. Much of North Korea’s stolen cryptocurrency is believed to have flowed into its missile and nuclear weapons programs.

Will there be more North Korean hacking attacks in the future?

Cryptocurrency investigators are getting better at tracking stolen funds on the blockchain. Mainstream cryptocurrency exchanges and stablecoin issuers often work with law enforcement to freeze stolen funds. In 2023, the United States, Japan, and South Korea announced a joint operation to combat North Korean cybercrime. The United States has sanctioned several "coin mixing" service providers used by North Korea.

Yet authorities are still a step behind. After the U.S. sanctioned North Korea’s favored coin mixers, hackers turned to other companies offering similar services. Solving the problem requires a multilateral effort by governments and the private sector, but that cooperation has been breaking down. Last year, Russia used its veto power at the United Nations to abolish the U.N. Cybersecurity Capacity Commission. President Donald Trump’s moves to cut U.S. development aid have dealt a blow to programs aimed at building cybersecurity capabilities in vulnerable countries.

North Korea, by contrast, is devoting increasing resources to cybercrime . South Korean intelligence estimates that North Korea’s cybercrime force grew from 6,800 in 2022 to 8,400 last year. Abhishek Sharma of the Observer Research Foundation, an Indian think tank, said North Korea had an increasingly “rich target environment” as the cryptocurrency industry expanded in countries with weaker regulation. Mr. Sharma noted that last year, North Korea attacked exchanges based in India and Indonesia.

North Korea is already known to use AI in its operations. AI tools can help make phishing emails more convincing and easier to craft at scale in multiple languages. They can also make it easier for remote IT workers to infiltrate companies. Bad days like Bybit’s Mr. Zhou’s may become more common.