TL;DR: Elliptic reports that North Korean-linked hackers have stolen $2 billion in crypto in 2025 and $6 billion cumulatively, with bybit accounting for $1.46 billion and roughly 30 other incidents filling out most of the rest. The shift toward targeted social engineering and malware against individuals means custody, identity verification, and endpoint trust assumptions now matter beyond exchange security.
NHIMG editorial — based on content published by Swarmnetics: $2 Billion in 2025, $6 Billion Total Stolen Crypto for North Korean Hackers as Focus Shifts to Individuals
By the numbers:
- The majority of the $2 billion stolen by the North Korean hackers this year came from crypto exchange Bybit, which was hit for $1.46 billion in February.
Questions worth separating out
Q: How should organisations protect high-value crypto accounts from social engineering?
A: Use phishing-resistant authentication, separate approval channels from ordinary messaging, and require out-of-band verification for recovery or transfer actions.
Q: Why do identity controls matter in crypto theft cases?
A: Because many thefts begin by convincing a person, support team, or operator to authorise an action that looks legitimate.
Q: What do security teams get wrong about macOS malware detection?
A: They often rely too heavily on static signatures and known binary strings.
Practitioner guidance
- Segment high-value crypto approval paths Separate transaction approval, recovery, and key-rotation workflows from ordinary support or messaging channels.
- Use phishing-resistant identity checks for custodial staff Require hardware-backed authentication and strict step-up verification for employees who can sign, approve, or recover assets.
- Harden device trust for wallet operations Treat endpoint integrity as a precondition for signing authority, especially on Mac fleets used by finance or treasury staff.
What's in the full analysis
Swarmnetics' full report covers the operational detail this post intentionally leaves for the source:
- Per-target attack patterns showing how social engineering differs between exchanges, individuals, and smaller organisations.
- The report’s breakdown of laundering behaviour, including how quickly stolen funds are moved through wallets, exchanges, and mixers.
- Additional examples of malware and phishing techniques tied to North Korean-linked intrusion activity.
- The article’s source-specific context on why these campaigns are expanding beyond large exchanges into personal and smaller enterprise targets.
👉 Read Swarmnetics' analysis of North Korea's 2025 crypto theft campaign →
Crypto theft is moving to individuals: what practitioners need to watch?
Explore further
Crypto theft is now an identity governance problem as much as a financial crime problem. The article shows attackers using social engineering, impersonation, and device compromise to reach transaction authority. That puts identity verification, privileged approval paths, and human trust controls inside the same governance boundary as wallet security. Practitioners should treat high-value crypto access as an identity lifecycle issue, not a pure fraud or endpoint problem.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when stolen crypto is moved through exchanges and mixers?
A: Accountability sits with the organisation that controls the exposed identity, custody workflow, or approval process, and with the operators who failed to design containment fast enough. For regulated environments, that maps to governance over privileged access, transaction approval, incident response, and user verification. The core question is whether the control owner could have prevented or limited the transfer window.
👉 Read our full editorial: North Korean crypto theft is shifting from exchanges to individuals