North Korea-Linked Hackers Stole $2.02B in Crypto in 2025

CrowdStrike reports North Korea-linked groups stole $2.02 billion in cryptocurrency in 2025, up 51% from 2024, with proceeds routed to the regime’s military programs.

CrowdStrike’s 2026 Financial Services Threat Landscape Report found hackers linked to North Korea stole $2.02 billion in cryptocurrency in 2025, a 51% increase from 2024. The report states that much of the stolen value was funneled to the regime’s military programs.

The firm attributes the rise in theft to wider use of artificial intelligence by DPRK-linked groups to scale and automate attacks on crypto exchanges, fintech firms and retail banks. CrowdStrike identified two active clusters. FAMOUS CHOLLIMA roughly doubled its activity by using AI-generated identities to penetrate platforms. STARDUST CHOLLIMA used AI-created recruiter profiles and fabricated video meeting environments to contact and compromise fintech employees across North America, Europe and Asia.

CrowdStrike counted 423 financial services victims posted on dedicated leak sites during the report period, a 27% year-over-year increase. Hands-on-keyboard intrusions rose 43% globally, with North America registering a 48% jump. The firm reported that in the first quarter of 2026 North America accounted for more than half of sector intrusions. By Q1 2026 the financial services industry represented 12% of all recorded activity and was the fourth-most-targeted sector.

Independent analytics firm TRM Labs linked DPRK groups to roughly $577 million stolen from the DeFi projects Drift Protocol and KelpDAO through April. CrowdStrike presents the $2.02 billion figure as the total crypto value siphoned by North Korea-linked actors in 2025.

The report describes attacker methods that lowered the barrier to sophisticated social-engineering and account-takeover campaigns. Attackers used AI to create realistic persona profiles, deepfake-style meeting backdrops and scripted interactions to gain trust and credentials, then moved laterally to extract funds or to deploy ransomware and espionage tools.

Adam Meyers, head of counter adversary operations at CrowdStrike, wrote in the report: “Financial services organizations face threats from every direction and AI is making each of them harder to stop. The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero.”

North Korea’s state news agency KCNA rejected the cyber threat claims. CrowdStrike and TRM Labs based their findings on forensic investigations, blockchain tracing and observed intrusion activity recorded across 2025 and into early 2026, and reported an increase in both the volume of incidents and changes in methods linked to AI tools.

Articles by this author