Who is the Lazarus Group?

Lazarus is North Korea's most prolific state-sponsored cyber unit, tied by U.S. and South Korean authorities to major crypto exploits including the 2022 Ronin Bridge hack and the 2023 Atomic Wallet breach. Their proceeds are believed to fund the DPRK weapons program.

How does the $2B figure compare to prior years?

It's a 51% jump from 2024, per the AMBCrypto report, and would mark the largest single-year haul ever attributed to a state-linked operator if confirmed by Chainalysis and TRM Labs in their year-end reports.

What kinds of platforms are being targeted?

Cross-chain bridges, institutional custodians, and exchange hot wallets - venues where one successful intrusion can clear nine figures in a single move.

What's the regulatory response likely to be?

Tighter custody standards from the SEC, additional OFAC designations targeting mixers and OTC desks used for laundering, and pressure on bridge operators to harden security or face restrictions.

North Korea-Linked Crypto Thefts Surged 51% to $2B in 2025, Report Says

North Korea-linked threat actors stole roughly $2 billion in cryptocurrency through 2025, a 51% jump from the prior year, according to a report surfaced by AMBCrypto on Friday. The Lazarus Group and affiliated DPRK entities drove the surge by concentrating on a smaller number of high-value targets rather than spraying low-yield phishing across retail wallets. The figure, if it holds in year-end accounting from firms like Chainalysis and TRM Labs, would mark the heaviest annual haul ever attributed to a single state-linked operator.

By Daniel Park· AI-assisted· On-chain analyst

What happened

AMBCrypto reported on Friday that North Korea-linked crypto thefts hit roughly $2 billion in 2025, a 51% increase year over year. The reporting attributes the bulk of the activity to the Lazarus Group, the DPRK's most prolific cyber unit, alongside a constellation of affiliated crews that have been tracked by Western blockchain forensics firms since the 2022 Ronin Bridge hit. The shift this year, per the report, is one of strategy rather than scale of personnel.

Lazarus is picking fewer fights and going after bigger purses: cross-chain bridges, institutional custodians, and exchange hot wallets where a single successful intrusion clears nine figures. That tracks with what TRM Labs and Chainalysis flagged in their first-half memos, when single-incident losses started averaging higher even as the total event count fell.

Why it matters

$2 billion is not a rounding error in this industry. It's roughly a third of the entire reported crypto theft volume for the year and it funnels directly into a sanctioned weapons program, which is why U. S.

Treasury's OFAC and South Korea's FIU have been escalating designations against mixers and OTC desks accused of laundering DPRK proceeds. The headline matters now because it lands in the middle of a policy window. The SEC is finalizing custody rules for spot ETF issuers, the EU's MiCA regime is six months into enforcement, and the U.

S. Treasury is weighing a fresh sanctions package targeting privacy tools. A confirmed $2B figure hands regulators a clean justification for tighter custody standards and harder constraints on cross-chain bridges, the exact rails Lazarus has been hitting.

North Korea-Linked Crypto Thefts Surged 51% to $2B in 2025, Report Says

What happened

Why it matters

Market impact

What to watch

Disclaimer

Key takeaways

Frequently asked

Sources