North Korea’s Covert Ascent to Major Bitcoin Holder Through Cyber Heists

North Korea has emerged as the third-largest government holder of Bitcoin, amassing approximately 13,562 BTC, currently valued at around $1.12 billion. This significant accumulation is primarily attributed to the state-sponsored hacking collective known as the Lazarus Group, which orchestrated a series of high-profile cryptocurrency thefts, including the unprecedented $1.5 billion hack of the Dubai-based exchange, Bybit, in February 2025.
The Federal Bureau of Investigation has officially attributed the Bybit hack to North Korean cyber actors associated with the Lazarus Group, also referred to as “TraderTraitor.” The breach involved the theft of approximately 400,000 Ethereum tokens, marking it as the largest cryptocurrency exchange hack to date. The stolen assets were subsequently laundered through various blockchain networks and converted into Bitcoin, significantly bolstering North Korea’s cryptocurrency reserves.
The Lazarus Group, active since at least 2007, has been implicated in numerous cyberattacks targeting financial institutions and cryptocurrency platforms worldwide. Their operations have evolved in sophistication, employing advanced techniques such as phishing, malware deployment, and exploiting vulnerabilities in decentralized finance platforms. Notably, in March 2022, the group was responsible for stealing $620 million from the Ronin Network, a blockchain platform associated with the online game Axie Infinity.
In the Bybit incident, the hackers exploited a vulnerability in the exchange’s system, enabling them to transfer the substantial sum to addresses under their control. Despite efforts by international authorities and cybersecurity experts to trace and recover the stolen funds, the hackers have successfully laundered a significant portion, complicating recovery efforts. Bybit has acknowledged the breach and is cooperating with global law enforcement agencies to mitigate the impact and enhance security measures.
North Korea’s strategic focus on cryptocurrency theft serves multiple purposes. The regime utilizes these illicit gains to circumvent international sanctions, fund its nuclear and ballistic missile programs, and bolster its struggling economy. The decentralized and pseudonymous nature of cryptocurrencies presents challenges for traditional financial oversight, providing the regime with a means to acquire substantial resources without direct detection.
The international community has expressed growing concern over North Korea’s cyber capabilities and their implications for global financial security. The United Nations has reported that these cyber activities have become a crucial revenue stream for the regime, with estimates suggesting that North Korea has stolen over $2 billion through cyberattacks targeting financial institutions and cryptocurrency exchanges. In response, several countries have imposed sanctions aimed at curbing these illicit activities and are collaborating to enhance cybersecurity measures across critical financial infrastructures.