North Korea’s cyber operations are accelerating, with cryptocurrency theft and sophisticated identity fraud emerging as key tactics to fund its sanctioned regime. Recent data from blockchain analytics firm Chainalysis and Amazon reveal the scale and sophistication of these activities in 2025.
Crypto Heists Reach Record Levels
According to Chainalysis, North Korean hackers stole over $2 billion in cryptocurrency in 2025, up sharply from $1.3 billion in 2024. This includes high-profile attacks such as the $1.5 billion Bybit heist, marking 2025 as the most financially significant year on record for DPRK-linked crypto theft.
Overall, Chainalysis reports that $3.41 billion in cryptocurrency was stolen globally by hackers this year, with North Korean actors responsible for a staggering 76% of all service compromises. The cumulative amount stolen by DPRK cybercriminals now totals approximately $6.75 billion.
Despite these record sums, the frequency of attacks has slightly declined, as analysts suggest North Korea is focusing more on laundering and integrating stolen funds rather than launching new operations.
Exploiting Insider Access and Recruitment Schemes
North Korean threat actors are increasingly targeting cryptocurrency exchanges, custodians, and Web3 companies by placing operatives in insider roles. In addition to direct hacks, they frequently pose as recruiters or investors to gather sensitive information, including credentials, source code, and strategic intelligence.
Amazon’s experience highlights the scale of these recruitment schemes. Stephen Schmidt, Amazon’s Chief Security Officer, confirmed that the company identified and blocked 1,800 suspected North Korean IT applicants since April 2024, representing a 27% quarter-over-quarter increase this year.
“Our AI systems monitor connections to high-risk institutions, application anomalies, and geographic inconsistencies,” Schmidt explained. “We conduct thorough identity verification, including background checks, credential confirmation, and structured interviews.”
Sophisticated Identity Fraud Techniques
North Korean applicants often use stolen identities and enlist local accomplices in the United States to make it appear that they are legitimate employees. They exploit stolen LinkedIn accounts, pay for access to professional profiles, and specifically target high-demand roles such as AI and cybersecurity positions.
Amazon’s CSO highlighted subtle indicators of fraudulent applicants, including inconsistencies in phone number formatting, educational history discrepancies, and false graduation timelines. These red flags are critical in detecting attempts to infiltrate high-value IT roles.
Implications for Global Security
The combination of large-scale cryptocurrency theft and advanced identity fraud illustrates North Korea’s evolving cyber capabilities. By embedding operatives in strategic positions within companies, the regime can extend its reach far beyond traditional cyberattacks, leveraging both digital and human vectors to secure illicit funding and sensitive information.
As North Korea continues to refine these tactics, organizations and governments must enhance their cybersecurity and recruitment verification protocols to counter this growing threat.
