North Korean crypto theft shows the identity cost of human manipulation

At a glance

What this is: This is a news analysis of CertiK’s 2025 crypto-theft findings, which show North Korean operators concentrating on high-value targets and using human manipulation as a primary entry path.

Why it matters: It matters because identity programmes need to govern borrowed identities, remote access, and privileged transaction flows as one problem across human, NHI, and fraud-control domains.

By the numbers:

• North Korean hackers stole $2.06 billion in cryptocurrency in 2025, accounting for 60% of all crypto theft losses that year.
• In just one 2025 incident, North Korean hackers stole $1.5 billion from the cryptocurrency firm Bybit.
• Only 12% of documented incidents in 2025 were linked with North Korea, demonstrating a focus on high-value targets.
• CertiK estimates that North Korea has stolen $6.75 billion across 263 documented incidents between 2016 and 2026.

👉 Read Sumsub’s analysis of North Korean crypto theft and identity abuse

Context

Crypto theft is not just a wallet-security problem. It is an identity problem because attackers increasingly win by impersonating legitimate people, vendors, recruiters, and counterparties before they ever touch a signing key, a bridge, or a hot wallet. In this case, CertiK says the pattern is driven by human manipulation rather than purely technical compromise.

For IAM and NHI teams, that matters because the same programme often governs employee onboarding, contractor access, privileged service access, and transaction approval in separate silos. Once those controls are bypassed through a convincing identity pretext, downstream technical controls can be bypassed faster than they can detect the fraud.

Key questions

Q: What breaks when social engineering reaches crypto treasury workflows?

A: When social engineering reaches treasury workflows, the failure is not just user deception. It is the collapse of identity assurance before a privileged action is taken. A convincing pretext can lead to approval, signing, or withdrawal access that bypasses technical safeguards. Teams need separate verification for people and for value-moving transactions.

Q: Why do crypto attacks often lead to irreversible loss so quickly?

A: Crypto attacks become irreversible quickly because attackers can move value through multiple wallets and laundering channels faster than many teams can detect and challenge the transaction. Once funds leave the trust boundary, recovery becomes a race against dispersion. The control gap is the lack of delay, review, and transaction-level containment.

Q: How should organisations reduce the risk of borrowed identities in high-value environments?

A: Organisations should require stronger proofing for contractors, job candidates, and vendors, especially where access can affect finance, wallets, or approvals. Borrowed identities succeed when the organisation trusts the relationship more than the person. Liveness checks, callback validation, and role-based access separation reduce that exposure.

Q: Who is accountable when a manipulated identity authorises a major crypto transfer?

A: Accountability sits with the organisation that allowed the identity path to collapse. If a manipulated person, contractor, or vendor could reach transfer authority without step-up checks or segregation of duties, governance failed before the transaction occurred. Frameworks such as NIST CSF and Zero Trust expect verifiable access decisions, not trust by default.

Technical breakdown

Human manipulation as the entry vector

The report’s core message is that many crypto intrusions begin with identity deception, not malware. Attackers pose as investors, trading firms, or job candidates to gain trust, social access, or meeting time. That makes the initial control gap an identity assurance gap, where the organisation has no reliable way to verify whether the person on the call, in the chat, or inside the hiring workflow is who they claim to be. Liveness checks, background verification, and role-aware verification reduce that exposure because they interrupt pretexting before privileged relationships are formed.

Practical implication: strengthen identity proofing for high-risk touchpoints such as hiring, vendor onboarding, and remote contractor access.

Why crypto theft becomes an access problem

Once a social-engineering foothold exists, attackers aim for the credentials or approvals that let them move value. In crypto environments that usually means signing access, treasury workflows, hot-wallet administration, bridge controls, or internal systems that can authorise transfers. The governance failure is not just weak authentication. It is the absence of privilege separation around transaction authority, so one compromised identity can trigger a high-impact action with little friction. Zero trust helps only when privileged actions are explicitly gated, logged, and reviewable across the full transaction path.

Practical implication: separate identity verification from transaction authorisation and require step-up controls for value-moving actions.

Rapid laundering turns identity compromise into irreversible loss

The report notes that stolen funds are moved quickly through complex laundering channels, and in the Bybit case more than 86% of the stolen ETH was converted into Bitcoin within a month. That speed matters because recovery windows shrink sharply once the attacker has withdrawn the assets from the original trust boundary. In identity terms, the incident shows that detection alone is not enough. Controls must delay, segregate, or constrain withdrawals so suspicious actions can be challenged before funds are irreversibly dispersed.

Practical implication: add withdrawal delay, transaction review, and high-risk destination monitoring to treasury governance.

Threat narrative

Attacker objective: The attacker objective is to convert trusted access into irretrievable cryptocurrency theft and laundering at scale.

1. Entry begins with human manipulation, where attackers pose as investors, trading firms, or job candidates to create trusted access to people and processes inside crypto firms.
2. Escalation follows when the attacker converts that trust into access to privileged workflows, signing paths, or internal approvals that can move assets out of controlled custody.
3. Impact occurs when stolen assets are rapidly laundered through multiple channels, reducing recovery opportunity and turning identity compromise into permanent financial loss.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Human manipulation is now a first-class identity attack, not a side tactic. CertiK’s findings show that North Korean operators do not need to break crypto systems first. They first break trust by convincing staff, recruiters, or vendors that the attacker belongs inside the workflow. That means identity programmes must treat proofing, liveness, and role validation as security controls, not admin steps. Practitioners should reclassify social engineering as an access-path problem, not just a fraud awareness issue.

Crypto theft exposes a standing-privilege problem that looks different from traditional IAM risk. When treasury systems, hot wallets, and bridge operations remain reachable through persistent approvals or weak separation of duties, one compromised identity can move money at machine speed. The control gap is not merely weak authentication. It is the absence of tightly bounded transaction authority around value-moving actions. Practitioners should assume that any identity able to approve transfers has become a high-value privileged asset.

Rapid laundering creates an identity blast radius that outpaces standard incident workflows. Once stolen funds are converted and dispersed quickly, the loss chain is no longer confined to the initial compromised account. It spreads across wallets, exchanges, vendors, and internal approvers who all sit inside the same trust fabric. That is why crypto governance needs to be designed as a chain of verifiable identity decisions, not a single login event. Practitioners should narrow the window between suspicious access and asset movement.

Borrowed identities are becoming a durable attack layer across human and machine trust zones. The report’s warning about AI-enhanced social engineering points to a future where attackers scale identity pretexts faster and with better credibility. That does not turn the problem into autonomous-agent risk, but it does intensify NHI exposure because credentials, API access, and operational privileges are often reachable through the same weak human approval process. Practitioners should treat identity verification as a unified control plane across people, contractors, and privileged machine access.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap points directly to the next control discussion in Top 10 NHI Issues, where visibility, rotation, and privilege creep sit at the centre of operational risk.

What this signals

Identity assurance now sits on the same risk path as wallet security. When attackers can enter through a human pretext and exit through a transaction path, the programme boundary has been drawn too narrowly. Teams should expect stronger convergence between fraud controls, identity proofing, privileged access governance, and treasury operations because the attack chain crosses all four.

Borrowed identities are a governance signal, not just an abuse case. As AI-assisted social engineering improves, the number of credible-looking external identities will rise faster than manual review capacity. That makes high-risk workflows more dependent on proofing, callback controls, and transaction friction than on user awareness alone.

The next maturity step is to treat the identity layer as a containment mechanism for value movement, not just for login access. In practice, that means aligning privileged approvals, anomaly detection, and withdrawal controls to the same policy model rather than leaving them in separate operational silos.

For practitioners

• Tighten identity proofing for high-risk onboarding points Require liveness checks, callback validation, and independent verification for vendors, contractors, recruiters, and remote hires before granting access to sensitive finance or wallet operations.
• Separate transfer approval from operational access Split wallet administration, treasury approval, and reconciliation duties so no single identity can both request and authorise a value-moving action.
• Add delay and challenge controls to withdrawals Introduce withdrawal delays, dual approval, and destination risk checks for any transfer that exceeds normal behavioural thresholds or touches newly seen wallets.
• Monitor for social-engineering-to-access patterns Correlate hiring, vendor onboarding, and support interactions with subsequent privileged access creation, unusual approvals, or off-hours transaction requests.

Key takeaways

• The main risk is not crypto malware, it is identity deception that creates trusted access to privileged financial workflows.
• CertiK’s data shows the scale is already systemic, with $2.06 billion stolen in 2025 and $6.75 billion across 263 incidents over a decade.
• The control that matters most is not awareness alone, but proofing, segregation of duties, and transaction delay before value leaves the trust boundary.

Key terms

• Borrowed Identity: A borrowed identity is an account or persona that an attacker uses to appear legitimate without owning the underlying trust relationship. In this article’s context, it includes impersonated investors, recruiters, vendors, or contractors used to gain access to sensitive crypto workflows.
• Transaction Authority: Transaction authority is the power to approve or execute a value-moving action, such as a transfer or withdrawal. It differs from general system access because the damage happens when an identity can turn access into irreversible financial movement.
• Identity Assurance: Identity assurance is the confidence that a person or entity is genuinely who they claim to be at the point access is granted. For high-risk crypto workflows, assurance must be strong enough to withstand social engineering, not just password checks or email familiarity.

Deepen your knowledge

Crypto identity assurance and privileged workflow separation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to govern borrowed identities and value-moving access in the same programme, it is a practical place to start.

This post draws on content published by Sumsub: North Korean hackers linked to 60% of all crypto theft losses in 2025. Read the original.