North Korea has significantly expanded its cyber-enabled revenue operations in 2025, combining large-scale cryptocurrency theft with widespread employment fraud targeting global technology companies.

New findings from Chainalysis and Amazon show that North Korean threat actors stole more than $2 billion in cryptocurrency this year while simultaneously deploying thousands of fake IT workers to infiltrate Western organizations.

Together, these activities illustrate a coordinated strategy to bypass international sanctions by monetizing access, trust, and digital infrastructure at scale.

North Korea has long relied on cyber operations to generate hard currency, but recent data suggests a marked shift toward fewer, higher-impact attacks paired with persistent insider access.

International sanctions continue to restrict traditional revenue streams, making cybercrime a central pillar of the regime’s financial strategy.

In 2025, this model increasingly blended direct theft, insider access, and social engineering rather than relying solely on external hacking campaigns.

According to Chainalysis, North Korean hackers stole approximately $2.02 billion in cryptocurrency during 2025, accounting for roughly 76% of all service-related crypto compromises this year.

The total amount of cryptocurrency stolen globally in 2025 reached $3.41 billion, slightly higher than 2024, with the $1.5 billion Bybit breach representing the single largest incident.

At the same time, Amazon reported blocking more than 1,800 suspected North Korean IT workers who attempted to obtain remote technical roles using stolen or fabricated identities.

Chainalysis found that North Korean cyber operations increasingly rely on insider access rather than high-frequency external attacks.

Threat actors place operatives inside cryptocurrency exchanges, custodians, and Web3 firms, enabling credential theft, source code access, and transaction manipulation.

They also impersonate recruiters, investors, or acquisition teams to harvest credentials and proprietary information during fake hiring or due-diligence processes.

Amazon’s security teams detected these IT workers using stolen identities, compromised LinkedIn accounts, and U.S.-based accomplices who host company-issued laptops to simulate domestic employment.

The financial impact is substantial. North Korea’s cumulative cryptocurrency theft now totals approximately $6.75 billion.

Beyond direct losses, affected organizations face long-term risks, including intellectual property exposure, regulatory scrutiny, and erosion of trust in remote hiring pipelines.

The growing focus on AI-related roles further increases risk, as these positions often provide access to sensitive models, datasets, and infrastructure.

This campaign demonstrates how nation-state actors are weaponizing legitimate business processes rather than merely exploiting software vulnerabilities.

Remote work, decentralized finance, and global hiring platforms have become attack surfaces themselves.

The convergence of financial crime, insider threat, and identity fraud signals a structural shift in how sanctioned states generate revenue through cyber operations.

“This marks the most severe year on record for DPRK crypto theft in terms of value stolen,” Chainalysis noted, emphasizing the concentration of attacks rather than their frequency.

Amazon CSO Stephen Schmidt highlighted subtle indicators of fraud, such as inconsistent education histories and formatting anomalies in phone numbers, stressing that “small details often reveal large risks.”