By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: SwarmneticsPublished October 13, 2025

TL;DR: Elliptic reports that North Korean-linked hackers have stolen $2 billion in crypto in 2025 and $6 billion cumulatively, with bybit accounting for $1.46 billion and roughly 30 other incidents filling out most of the rest. The shift toward targeted social engineering and malware against individuals means custody, identity verification, and endpoint trust assumptions now matter beyond exchange security.


At a glance

What this is: North Korean hackers stole $2 billion in crypto in 2025, with the largest share coming from Bybit and a growing shift toward individuals and smaller organisations as targets.

Why it matters: For IAM and identity practitioners, the story matters because social engineering, device compromise, and trust abuse are now part of the identity problem in crypto custody and high-value account protection.

By the numbers:

  • The majority of the $2 billion stolen by the North Korean hackers this year came from crypto exchange Bybit, which was hit for $1.46 billion in February.
  • North Korea is pouring massive resources into acquiring stolen crypto because of the return it gets; over 10% of its total annual GDP at this point, based on estimates made by the UN.

👉 Read Swarmnetics' analysis of North Korea's 2025 crypto theft campaign


Context

North Korean crypto theft is increasingly an identity and access problem, not just a blockchain or exchange problem. The article describes a threat model that combines social engineering, malware, account takeover, and rapid laundering to move value before defenders can contain it.

For practitioners, the key governance gap is that high-value accounts, employees, and custodial workflows are being targeted through trust relationships and device compromise. That makes identity verification, phishing resistance, endpoint trust, and privileged access controls part of the same control plane, especially where financial assets or signing authority are concentrated.


Key questions

Q: How should organisations protect high-value crypto accounts from social engineering?

A: Use phishing-resistant authentication, separate approval channels from ordinary messaging, and require out-of-band verification for recovery or transfer actions. Treat custodial access as privileged access, not standard user access. The controls must make it difficult for a believable message or fake update to become a valid authorisation path. That is especially important where a single compromise can move large sums.

Q: Why do identity controls matter in crypto theft cases?

A: Because many thefts begin by convincing a person, support team, or operator to authorise an action that looks legitimate. Identity controls determine whether that action is truly trusted. When approval, recovery, and device trust are weakly separated, social engineering can bypass technical safeguards and reach the funds directly. This is why verification design is part of financial security.

Q: What do security teams get wrong about macOS malware detection?

A: They often rely too heavily on static signatures and known binary strings. Many macOS threats hide AppleScript, decrypt payloads at runtime, or fetch second stages after execution, so detection must include behavioral telemetry, persistence hunting, and script execution monitoring.

Q: Who is accountable when stolen crypto is moved through exchanges and mixers?

A: Accountability sits with the organisation that controls the exposed identity, custody workflow, or approval process, and with the operators who failed to design containment fast enough. For regulated environments, that maps to governance over privileged access, transaction approval, incident response, and user verification. The core question is whether the control owner could have prevented or limited the transfer window.


Technical breakdown

Social engineering as the entry point for crypto theft

The article describes a dual-track intrusion model. For individuals and smaller organisations, attackers use impersonation, fake software updates, messaging-app pretexting, and job-offer lures to gain initial trust. That is a classic identity attack path: the adversary does not need to defeat cryptography first if they can persuade a person or compromise a device that already carries authority. In practice, this collapses the boundary between fraud prevention, endpoint security, and account security because the attacker is exploiting human verification failure to reach a privileged financial action.

Practical implication: harden identity verification for high-value users and make suspicious contact channels non-authoritative.

Malware, impersonation, and credential compromise on Apple devices

Elliptic notes the use of NimDoor, a Mac-focused malware strain that can evade built-in protections and supports impersonation of legitimate contacts. That matters because endpoint trust is often treated as a substitute for stronger authentication, especially in smaller teams and personal wallet workflows. Once malware can relay messages or assist with session theft, the attacker can intercept approvals, steal credentials, or steer the victim into a fraudulent update path. The security lesson is that endpoint brand alone is not a trust control; runtime behaviour and authentication strength matter more than platform assumptions.

Practical implication: tie wallet and exchange approvals to phishing-resistant authentication and device posture checks.

Fast laundering shrinks the response window

The report says stolen funds can be moved beyond reach within hours through a network of wallets, exchanges, and mixers. That speed changes the defensive model from recovery to containment. When conversion starts almost immediately after breach detection, teams have to assume that traditional manual review cycles will lag the attack. The architecture problem is not only theft, but irreversible value transfer before freeze requests, chain analysis, or account suspension can take effect. That is why detection latency and automated response are central controls in this threat path.

Practical implication: automate freeze, alert, and escalation workflows for high-value transfers and suspicious wallet activity.


Threat narrative

Attacker objective: The objective is to steal and permanently launder cryptocurrency so the funds can support North Korea’s illicit state programs.

  1. Entry occurs through impersonation, fake updates, phishing, or other social engineering that convinces a target to trust a malicious contact or process.
  2. Escalation follows when the attacker captures credentials, remote access, or transaction approval authority on the victim device or account.
  3. Impact occurs when crypto is transferred, converted, and laundered through wallets, exchanges, and mixers before defenders can intervene.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Crypto theft is now an identity governance problem as much as a financial crime problem. The article shows attackers using social engineering, impersonation, and device compromise to reach transaction authority. That puts identity verification, privileged approval paths, and human trust controls inside the same governance boundary as wallet security. Practitioners should treat high-value crypto access as an identity lifecycle issue, not a pure fraud or endpoint problem.

High-value account protection breaks when trust is anchored in the device or the chat thread. The report’s focus on fake Zoom updates and impersonated contacts shows that attacker success depends on convincing the target that the channel is legitimate. That means control design has to separate authentic communications from ordinary messaging and require stronger proof before any transaction or recovery action. Practitioners should re-check whether their approval workflows can be socially engineered.

Trust-channel compromise is the named failure mode this report exposes. The attacker does not need to defeat every security layer if a trusted channel can be substituted with a believable one. That failure mode spans identity verification, alerting, support workflows, and recovery steps, which is why crypto organisations need tighter verification boundaries. Practitioners should map every path where a human can authorise value movement outside a cryptographically bound process.

Rapid laundering is now part of the attack architecture, not just the aftermath. If value can be dispersed within hours, then response speed becomes a control objective. That shifts emphasis toward pre-authorised containment actions, exchange relationships, and monitoring that can move faster than manual case handling. Practitioners should build for immediate containment, not delayed investigation.

Apple and Mac environments should not be treated as implicit trust zones for high-value workflows. The article’s mention of NimDoor shows that endpoint platform reputation is not a sufficient control. Organisations that handle digital assets need to treat endpoint integrity, message authenticity, and transaction approval as linked control decisions. Practitioners should align endpoint policy with transaction risk, not operating system preference.

From our research:

What this signals

Trust-channel compromise should now be treated as a governance control gap, not just a user-awareness problem. When attackers can impersonate legitimate contacts or software updates, the assurance boundary has already shifted away from the login box and into the approval flow. Practitioners should pair transaction approval with device posture, strong identity proofing, and explicit channel trust rules.

The combination of social engineering and rapid laundering means response design has to assume very short dwell time. Teams that manage treasury, exchanges, or custodial platforms should pre-wire containment with exchanges, incident response, and fraud operations so that suspicious activity can be interrupted before value leaves reach. That is a programme design issue, not just an investigation issue.


For practitioners

  • Segment high-value crypto approval paths Separate transaction approval, recovery, and key-rotation workflows from ordinary support or messaging channels. Require out-of-band verification for every change that can move funds or alter custody roles.
  • Use phishing-resistant identity checks for custodial staff Require hardware-backed authentication and strict step-up verification for employees who can sign, approve, or recover assets. Do not rely on email or chat-based confirmation for sensitive actions.
  • Harden device trust for wallet operations Treat endpoint integrity as a precondition for signing authority, especially on Mac fleets used by finance or treasury staff. Combine device posture checks with transaction limits and alerting.
  • Automate containment for suspicious transfers Pre-authorise freezes, escalation chains, and exchange notification steps so the response starts as soon as suspicious wallet movement appears. Manual triage will usually be too slow against rapid laundering.

Key takeaways

  • North Korea’s crypto theft playbook now blends social engineering, malware, and rapid laundering to defeat both human trust and response speed.
  • The scale is material, with $2 billion stolen in 2025 and $1.46 billion tied to Bybit, showing that exchanges are still prime targets even as individual holders come under pressure.
  • Practitioners should treat high-value crypto workflows as identity and privileged access problems, with phishing-resistant verification, device trust, and automated containment at the centre.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0001 , Initial Access; TA0006 , Credential Access; TA0010 , ExfiltrationThe article centers on phishing, credential abuse, and theft of crypto assets.
NIST CSF 2.0PR.AC-1Identity verification and access control are central to protecting custodial workflows.
NIST SP 800-53 Rev 5IA-2Strong authentication is required for privileged financial and custodial actions.
CIS Controls v8CIS-6 , Access Control ManagementAccess control management is directly relevant to protecting high-value accounts and approvals.
ISO/IEC 27001:2022A.5.15Access control policy is relevant where trust decisions govern asset movement.

Map social engineering and wallet theft paths to these tactics and close the highest-risk entry points first.


Key terms

  • Trust-Channel Compromise: A failure mode where attackers substitute a believable communication or approval channel for the legitimate one. In crypto theft, this often means fake messages, fake updates, or impersonated contacts that trick a user into authorising a transfer or recovery action.
  • Custodial Approval Path: The sequence of checks and identities required before cryptocurrency can be moved, recovered, or rekeyed. When this path is weakly separated from ordinary support channels, social engineering can turn a routine interaction into a high-impact financial event.
  • Rapid Laundering: The practice of converting and dispersing stolen assets quickly across wallets, exchanges, and mixers to reduce the chance of freezing or recovery. The control challenge is not only detecting theft, but doing so before the asset leaves reachable custody.
  • Phishing-Resistant Authentication: Phishing-resistant authentication proves identity without relying on a user to approve a prompt or reveal a reusable secret. It typically binds access to a device, key, or cryptographic proof that an attacker cannot easily reuse or coerce. This approach reduces reliance on human judgment at login time.

What's in the full analysis

Swarmnetics' full report covers the operational detail this post intentionally leaves for the source:

  • Per-target attack patterns showing how social engineering differs between exchanges, individuals, and smaller organisations.
  • The report’s breakdown of laundering behaviour, including how quickly stolen funds are moved through wallets, exchanges, and mixers.
  • Additional examples of malware and phishing techniques tied to North Korean-linked intrusion activity.
  • The article’s source-specific context on why these campaigns are expanding beyond large exchanges into personal and smaller enterprise targets.

👉 The full Swarmnetics article covers attack patterns, laundering behaviour, and the shift toward individual targets.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in practical terms. It helps identity and security practitioners build control models that fit modern access paths and privileged workflows.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org