North Korea digital operations have reached a new level in 2025. While the country remains heavily sanctioned, it has quietly built one of the most aggressive cyber funding pipelines in the world. Cryptocurrency theft and fake remote work schemes now sit at the center of that strategy, according to new data from Chainalysis and Amazon.
The numbers are striking. North Korean hackers are believed to have stolen more than $2 billion in cryptocurrency this year alone. At the same time, major tech companies are uncovering a growing wave of North Korean IT workers attempting to infiltrate global firms under false identities. Together, these activities show how the regime is using digital channels to bypass financial restrictions and generate hard currency.
Chainalysis reports that hackers stole a total of $3.41 billion in cryptocurrency globally between January and early December 2025. That figure is slightly higher than the $3.38 billion recorded in 2024. What changed this year is who is responsible for most of the damage.
At least $2.02 billion of the stolen funds are believed to be linked to North Korean threat actors. That means the country accounted for roughly three quarters of all major service compromises tied to crypto theft this year. Chainalysis described 2025 as the most severe year on record for North Korea’s crypto operations in terms of value stolen.
One attack stands out. The $1.5 billion breach of crypto exchange Bybit represents the single largest incident in the dataset. Investigators attribute that heist to North Korean hackers, reinforcing the country’s role as the most financially impactful actor in the crypto crime ecosystem.
Despite the record value stolen, the overall number of attacks linked to North Korea has declined. Chainalysis believes this is not a sign of reduced capability. Instead, it points to a tactical shift. After the Bybit breach, attackers appear to have slowed new operations to focus on laundering massive amounts of stolen crypto through complex networks.
This pause reflects a growing maturity in North Korea’s cyber playbook. Rather than launching constant attacks, groups are concentrating on extracting maximum value from fewer, high-impact breaches. That approach reduces exposure while increasing returns.
Another trend stands out in the data. North Korean crypto theft is increasingly tied to insider access. Threat actors are no longer relying only on external exploits. Instead, they are embedding themselves directly inside crypto companies and Web3 firms.
Chainalysis says North Korean IT workers are actively seeking jobs at exchanges, custodians, and blockchain startups. Once inside, they can access internal systems, sensitive code, and security controls. That access makes large-scale theft easier and harder to detect.
The tactics go beyond traditional employment fraud. North Korean actors are also posing as recruiters to lure engineers into fake hiring processes. These schemes are designed to harvest credentials, internal documentation, and source code. In other cases, attackers pose as potential investors or acquirers to gather strategic intelligence.
This blending of cybercrime, espionage, and employment fraud creates a multi-layered threat. It also expands the attack surface far beyond crypto wallets and smart contracts.
Amazon’s internal data offers a rare look at how widespread the fake IT worker operation has become. According to Stephen Schmidt, Amazon’s chief security officer, the company has identified and blocked more than 1,800 suspected North Korean IT workers since April 2024.
The pace is accelerating. Schmidt reported a 27 percent quarter-over-quarter increase in detections during 2025. These individuals were attempting to secure high-paying remote roles, often targeting software engineering and AI-related positions.
Amazon relies heavily on automation to detect these attempts. Its AI systems analyze connections to nearly 200 high-risk institutions, unusual application patterns, and geographic inconsistencies. These signals are combined with background checks, credential verification, and structured interviews.
Even with these controls, Schmidt says the tactics are becoming harder to spot. Many applicants use stolen identities belonging to real software engineers. Others hijack LinkedIn accounts or pay for access to established profiles to appear legitimate.
Some operations involve helpers inside the United States. These intermediaries host company-issued laptops at U.S. locations, making it look as if the employee is working domestically. In reality, the work is performed from overseas under the direction of the North Korean state.
AI roles are a growing target. Schmidt noted that North Korean IT workers increasingly apply for machine learning and AI engineering jobs. These roles pay more and often provide access to sensitive systems, proprietary models, and valuable data.
Small details often reveal the fraud. Schmidt highlighted subtle red flags such as phone numbers formatted with “+1” instead of a standard U.S. dialing pattern. Educational inconsistencies also appear frequently, including degrees listed from universities that never offered those programs.
Graduation timelines are another warning sign. Some candidates claim to have completed degrees faster than academic schedules allow. Others list overlapping programs that would be impossible to attend simultaneously.
Taken together, the crypto theft data and employment fraud cases point to a single conclusion. North Korea is operating a coordinated digital revenue strategy that blends hacking, insider access, and deception at scale.
This strategy allows the regime to fund operations while avoiding traditional financial controls. It also shifts risk onto private companies, which must now defend not only their systems but their hiring pipelines as well.
As remote work and decentralized finance continue to expand, the attack surface will grow. The challenge for companies is no longer limited to preventing breaches. It now includes verifying who they hire, who they trust, and who has access to their most critical infrastructure.
