Crypto theft, human manipulation, and the identity gap teams miss

TL;DR: CertiK says North Korean hackers stole $2.06 billion in cryptocurrency in 2025, representing 60% of all crypto theft losses and showing how social engineering, high-value target selection, and rapid laundering now dominate the threat model. The lesson for identity teams is that trust, verification, and withdrawal controls fail together when attacker identity is manufactured at the human boundary.

NHIMG editorial — based on content published by Sumsub: North Korean hackers linked to 60% of all crypto theft losses in 2025

By the numbers:

• North Korean hackers stole $2.06 billion in cryptocurrency in 2025, accounting for 60% of all crypto theft losses that year.
• In just one 2025 incident, North Korean hackers stole $1.5 billion from the cryptocurrency firm Bybit.
• Only 12% of documented incidents in 2025 were linked with North Korea, demonstrating a focus on high-value targets.

Questions worth separating out

Q: What breaks when social engineering reaches crypto treasury workflows?

A: When social engineering reaches treasury workflows, the failure is not just user deception.

Q: Why do crypto attacks often lead to irreversible loss so quickly?

A: Crypto attacks become irreversible quickly because attackers can move value through multiple wallets and laundering channels faster than many teams can detect and challenge the transaction.

Q: How should organisations reduce the risk of borrowed identities in high-value environments?

A: Organisations should require stronger proofing for contractors, job candidates, and vendors, especially where access can affect finance, wallets, or approvals.

Practitioner guidance

• Tighten identity proofing for high-risk onboarding points Require liveness checks, callback validation, and independent verification for vendors, contractors, recruiters, and remote hires before granting access to sensitive finance or wallet operations.
• Separate transfer approval from operational access Split wallet administration, treasury approval, and reconciliation duties so no single identity can both request and authorise a value-moving action.
• Add delay and challenge controls to withdrawals Introduce withdrawal delays, dual approval, and destination risk checks for any transfer that exceeds normal behavioural thresholds or touches newly seen wallets.

What's in the full analysis

Sumsub's full news analysis covers the operational detail this post intentionally leaves for the source:

• CertiK’s full incident breakdown of the Bybit theft and other high-value crypto cases
• The report’s laundering-path analysis showing how stolen ETH moved into Bitcoin and across channels
• Practical recommendations on video interviews, liveness checks, withdrawal delays, and freelancer risk controls
• The broader 2026 threat trends behind AI-enhanced social engineering and workforce infiltration

👉 Read Sumsub’s analysis of North Korean crypto theft and identity abuse →

Crypto theft, human manipulation, and the identity gap teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →