Keep Factually independent
Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.
Fact check: Did north Korea steal crypto bit coins recently
Executive Summary
North Korea-linked cyber groups have been reported to steal between $2.8 billion and $2.84 billion in virtual assets from January 2024 through September 2025, with major activity and a large single heist occurring in early 2025; multiple independent analyses highlight extensive laundering networks through China, Russia, and other overseas actors [1] [2]. Independent blockchain forensics firm reporting places 2025 alone as a record year (over $2 billion stolen), and some analyses aggregate the regime’s cumulative crypto thefts to more than $6 billion historically, showing divergent framings of annual versus cumulative totals [3] [4].
1. Bold Claim Breakdown: Who Says What and When
The main claims across the reports are threefold: [5] North Korea-linked actors stole roughly $2.84 billion in crypto between January 2024 and September 2025, with roughly $1.19 billion in 2024 and $1.65 billion in Jan–Sep 2025; [6] blockchain-forensics firms report over $2 billion stolen in 2025 alone, marking the largest single-year total on record; and [7] some analysts place the cumulative total of DPRK-linked crypto thefts at over $6 billion when past years’ activity is included [1] [8] [3] [4]. These are the recurrent, quantified assertions across the documents provided.
2. Timeline and Scale: What the Numbers Actually Show
The Multilateral Sanctions Monitoring Team (MSMT) and allied writeups date the $2.84 billion figure to a Jan 2024–Sep 2025 window, with the year-by-year split of $1.19 billion [9] and $1.65 billion (Jan–Sep 2025) emphasized in later summaries [1] [8]. Blockchain forensic firms like Elliptic frame 2025 as an exceptionally large year, citing more than $2 billion stolen that year and calling it the largest annual haul on record — which aligns with the MSMT’s assessment of an escalation in 2025 [3] [4]. Both sets of figures point to an intensification of activity in 2025.
3. The Big Heist[10]: Where Major Losses Came From
Analysts identify a large February 2025 heist as a major contributor to the elevated 2025 totals, with one report specifying a $1.5 billion loss in a single incident that significantly pushed the annual figures upward. That event is attributed in the reports to DPRK-linked hacking groups using sophisticated tactics, cross-chain transfers, and mixing services to move funds rapidly through multiple jurisdictions [11] [4]. A handful of high-value breaches in 2025 account for a disproportionate share of the year’s reported thefts.
4. Laundering Pathways: China, Russia and Overseas Networks’ Roles
All reports highlight extensive laundering networks that include actors and intermediaries in China and Russia, with Chinese nationals allegedly providing forged IDs and cash-out support, and overseas networks facilitating cross-border transfers and cashing out via exchanges or on-ramps. The MSMT and media summaries emphasize the use of foreign financial networks to convert crypto into fiat, often through layered transfers and use of third-country intermediaries to obscure provenance [12] [1]. These laundering channels are central to how stolen assets are monetized.
5. Divergent Aggregations: Annual vs. Historical Totals
A notable divergence appears between annual-window figures (~$2.84 billion for Jan 2024–Sep 2025) and cumulative historical totals (more than $6 billion). Elliptic and allied reporting frame 2025 as the largest single-year haul and present cumulative totals inclusive of earlier years’ activity, while the MSMT report focuses on the recent 2024–2025 window with precise splits. Both are consistent about escalation, but differ in whether they emphasize historical accumulation or the recent surge. This difference affects headline framing.
6. Source Dates, Independence, and Cross-Checks
The MSMT and major media summaries were published in October 2025 (Oct 22–27), providing the most recent official-window accounting [1] [2]. Elliptic’s forensic summaries appeared in early to mid-October 2025 and underscore the 2025 spike and cumulative historical estimates [3] [4]. Multiple, independently timed reports converge on the core finding of large-scale DPRK-linked theft and intensified activity in 2025, increasing confidence in the recent surge despite variations in aggregation and emphasis.
7. Missing Context and Important Caveats
The reports rely on blockchain forensics and sanctions-monitoring investigatory methods, which can confidently trace wallet movements but face limits in attributing thefts and tracing final cash-out endpoints; some attribution relies on linking tactics, infrastructure, and known threat actor profiles. The documents note reliance on third-country intermediaries and forged identities, but do not fully enumerate law-enforcement outcomes, recoveries, or the margin of error in valuation when crypto prices fluctuate. These omissions affect how absolute dollar totals should be interpreted [1] [13] [11].
8. Bottom Line: Verified Theft, Growing Scale, and Open Questions
Across multiple independent analyses and dates in October 2025, the consistent findings are that North Korea-linked actors carried out major crypto thefts, collectively reported around $2.8–2.84 billion in the Jan 2024–Sep 2025 window and over $2 billion in 2025 alone, with some firms placing cumulative historical thefts above $6 billion. What remains open is the precise breakdown between attribution certainty, recoveries, and how much of the stolen value was successfully monetized versus disrupted, which the reports acknowledge but do not fully resolve [1] [3] [2].