In 2022 alone, North Korean hackers stole $1.7 billion worth of crypto assets. This god awful caper puts this year’s total on track to be the largest annual total ever recorded. This theft, which is the largest ever reported, underscores the growing sophistication and determination of North Korean cybercriminals. Remember when hackers burst onto the front pages in February over a big breach? They orchestrated the Bybit hack, stealing roughly $1.46 billion.
The increase in successful cyberattacks matches the pattern of North Korea’s continued pursuit of its illegal, malignant efforts to fund its regime. This year, they upped the ante on their tactics, adding identity theft and deception to their scheme. Their dream? To win lucrative remote technology jobs in markets across the globe, including the US, Europe, Australia and Saudi Arabia. Taken together, recent developments foreground a major shift in tactics from North Korean cyber actors. They are deeply engaged in efforts to exploit vulnerabilities in technology and employment systems to move their self-serving agenda forward.
North Korean hackers are using increasingly sophisticated technology, including artificial intelligence, to generate deepfakes. They’re going around the usual security measures and going after crypto thefts. This alarming trend raises concerns about the broader implications for cybersecurity across multiple sectors.
The Bybit Hack and Its Implications
Of all the hacks attributed to North Korean cybercriminals, the Bybit hack that occurred this past February may be the most noteworthy. In this specific case, intruders breached the cryptocurrency exchange platform and managed to steal about $1.46 billion. The size and scope of this theft has caught the eye of cybersecurity experts and police forces all around the globe.
Elliptic, a blockchain analytics firm, emphasized the significance of this incident: “The 2025 total already dwarfs previous years and is almost triple last year’s tally, underscoring the growing scale of North Korea’s dependence on cyber-enabled theft to fund its regime.” Not surprisingly, such a wide-scale theft results in huge financial damage. Beyond those direct impacts, it reveals vulnerabilities in the entire cryptocurrency ecosystem, which could undermine investor confidence even more.
With prices for cryptocurrency going sky high, people have made more tempting targets for cybercriminals. Elliptic points out that “as crypto prices have risen, individuals have become increasingly attractive targets, often lacking the security measures employed by businesses.” Cybercriminals are constantly evolving their tactics. They are now turning their sights towards other, less protected entities, potentially leading to more widespread attacks on individual investors.
The Emergence of North Korean IT Workers
Beyond these conventional hacking practices, North Korean actors have shown an alarming trend of trying to breach the walls of legitimate technology firms. They have been identity thefting, résumé fabricating, and employer hoodwinking their way into these cushy remote jobs. This method enables them to keep making money without being caught.
Okta has been tracking more than 130 identities associated with facilitators and laborers tied to this racket. These folks have gone on to do over 6,500 first round job interviews at over 5,000 different companies as of mid 2025. Okta placed particular emphasis on their push into new markets. Their ready and whole-trained workforce can cut through routine screening controls and take advantage of hiring pipelines even more powerfully. This infiltration is a serious and growing threat to organizations who may unwittingly hire these malicious insiders.
The fact that these North Korean IT workers are paid in stablecoins makes the situation even more complex. OTC traders are big fans of stablecoins since they are pegged to one value. These coins facilitate the seamless conversion of cryptocurrency to fiat currency. This mode of payment offers North Korean actors a way to conduct payment without getting caught while providing their talent liquidity.
Advanced Techniques Used by Cybercriminals
North Korean hackers are using more advanced and complex techniques to carry out their cyberattacks. This bad activity known as “BlackStink” has used very sophisticated WebInject tactics to move around standard detection methods. This technique lets attackers programmatically autofill forms and submit them at scale. They can simulate user behavior and perform automated transactions while the victim would not even be aware.
Rapid7’s research tells a dangerous story — threat actors are increasing their targeting and exploitation of AWS cloud environments. They seek to exfiltrate sensitive information and subsequently extort victim enterprises. Even as cloud adoption continues to make headway, this shift only further emphasizes a need for stronger security measures in cloud infrastructures. Simon Zuckerbraun commented on the implications of these attacks: “This RCE is unusually impactful due to the Axis cloud misconfiguration that could have resulted in automatic exploitation during normal usage of the affected products.”
Researchers from the University of California Irvine have come up with a novel approach. It turns a common optical mouse into a sophisticated secret microphone, allowing it to surreptitiously record and exfiltrate sensitive information from air-gapped networks. This new innovation comes with a substantial risk to companies. A good number of them are under the delusion that their air-gapped networks are not susceptible to external attack vectors.