North Korea’s Shift in Cyber Attacks: From Institutions to Wealthy Individuals

North Korea has increasingly turned to cyberattacks as a tool to generate foreign revenue under sanctions. Historically, groups like Lazarus targeted major institutions, but now they focus more on wealthy individuals with crypto holdings, who often lack strong institutional security.

In February 2025, the FBI publicly attributed a $1.5 billion hack of ByBit to North Korean state‑linked hackers, calling the operation “TraderTraitor.” The stolen funds were swiftly converted into Bitcoin and dispersed across thousands of blockchain addresses—indicative of sophisticated laundering efforts.

On the other hand, North Korea continues to exploit older techniques: for example, in March 2022, hackers stole nearly $600 million via the Ronin (Axie Infinity) bridge hack. Additionally, in May 2024, North Korea laundered $147.5 million through the mixer service Tornado Cash.

To further hide the origin, North Korean hackers have transferred stolen crypto to wallets associated with Asian payment firms. They also use fake job offers and recruitment ruses to trick individuals into installing malware, a more personalized, social engineering–based approach.

These cyber operations appear to serve as retaliation against sanctions: by hitting individuals globally and laundering proceeds, the regime can continue funding military or strategic programs while avoiding direct financial blockades.

Globally, this shift has multiple consequences: trust in cryptocurrency declines, regulation tightens, and individuals must now adopt institutional-grade security. For investigators, tracking small-scale thefts across borders demands advanced blockchain analytics and international cooperation.

In conclusion, North Korea’s pivot from institutional to individual targets marks a new phase in state-backed cybercrime. It shows how a regime under sanctions can retool criminal tactics into state strategy—and how personal cybersecurity now increasingly overlaps with global security.

Sources

Reuters. (2025, February 27). FBI says North Korea was responsible for $1.5 billion ByBit hack. Retrieved from https://www.reuters.com/technology/cybersecurity/fbi-says-north-korea-was-responsible-15-billion-bybit-hack-2025-02-27/

Reuters. (2024, May 14). Exclusive: North Korea laundered $147.5 million in stolen crypto in March, say UN experts. Retrieved from https://www.reuters.com/technology/cybersecurity/north-korea-laundered-1475-mln-stolen-crypto-march-say-un-experts-2024-05-14/

Reuters. (2025, September 4). How North Korean hackers are using fake job offers to steal cryptocurrency. Retrieved from https://www.reuters.com/world/asia-pacific/how-north-korean-hackers-are-using-fake-job-offers-steal-cryptocurrency-2025-09-04/

Reuters. (2024, July 15). North Korean hackers sent stolen crypto to wallet used by Asian payment firm. Retrieved from https://www.reuters.com/technology/cybersecurity/north-korean-hackers-sent-stolen-crypto-wallet-used-by-asian-payment-firm-2024-07-15/

Reuters. (2025, February 24). Crypto’s biggest hacks and heists after $1.5 billion theft from ByBit. Retrieved from https://www.reuters.com/technology/cybersecurity/cryptos-biggest-hacks-heists-after-15-billion-theft-bybit-2025-02-24/

FBI / IC3. (2025, February). PSA: North Korea Responsible for $1.5 Billion ByBit Hack. Retrieved from https://www.ic3.gov/psa/2025/psa250226