Full Report
Threat actors with ties to the Democratic People's Republic of Korea (DPRK or North Korea) have been instrumental in driving a surge in global cryptocurrency theft in 2025, accounting for at least $2.02 billion out of more than $3.4 billion stolen from January through early December. The figure represents a 51% increase year-over-year and $681 million more than 2024, when the threat actors stole
Analysis Summary
# Threat Actor: Lazarus Group (and associated clusters)
## Attribution & Identity
**Attribution:** Democratic People's Republic of Korea (DPRK or North Korea).
**Known Aliases and Associated Groups:**
* TraderTraitor
* Jade Sleet
* Slow Pisces
* Affiliated with Pyongyang's Reconnaissance General Bureau (RGB).
* Associated with front companies like DredSoftLabs and Metamint Studio.
## Activity Summary
DPRK-linked threat actors are responsible for a surge in global cryptocurrency theft in 2025, stealing at least **$2.02 billion** between January and early December, representing a 51% year-over-year increase from 2024 ($1.3 billion stolen). This marks the most severe year on record for DPRK crypto theft by value.
**Key 2025 Activities:**
* **Cryptocurrency Theft:** Accounted for $2.02 billion of the global $3.4 billion stolen in crypto during the period. DPRK attacks accounted for a record 76% of all service compromises.
* The February compromise of cryptocurrency exchange **Bybit** alone is responsible for $1.5 billion of the total.
* Involvement in the theft of **$36 million** from South Korea's Upbit exchange last month.
* **Operation Dream Job:** A long-running campaign where prospective employees in defense, manufacturing, chemical, aerospace, and technology sectors are targeted via LinkedIn or WhatsApp with fake job offers to trick them into deploying malware.
* **Infiltration:** Embedding IT workers inside global companies under false pretenses, sometimes operating through front companies.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise/Infection:** Linked to the Bybit hack via infrastructure associated with infection by Lumma Stealer (using the email address `trevorgreer9312@gmail[.]com`).
- **Job Luring/Social Engineering:** Approaching prospective employees with lucrative fake job opportunities (Operation Dream Job).
- **Insider Threat Simulation:** Deploying IT workers inside target organizations under false pretenses.
- **Specific Malware Used (Associated Campaigns):**
* Lumma Stealer
* BURNBOOK
* MISTPEN
* BADCALL (including a Linux version)
- **MITRE ATT&CK IDs:** (No specific IDs were provided in the text, beyond reference to Operation Dream Job as `C0022`).
## Targeting
- **Sectors:** Cryptocurrency exchanges (major targets), defense, manufacturing, chemical, aerospace, and technology sectors (targets of Operation Dream Job).
- **Geography:** Global (based on reported theft sums and various international victim profiles).
- **Victims:** Cryptocurrency exchange **Bybit** ($1.5B compromise); South Korea's **Upbit**.
## Tools & Infrastructure
- **Malware Families Used:** Lumma Stealer, BURNBOOK, MISTPEN, BADCALL.
- **Infrastructure:** Infrastructure associated with the machine infected with Lumma Stealer.
## Implications
The actors are highly successful, marking 2025 as their most lucrative year for crypto theft ($2.02 billion). Their activities serve two primary goals: generating illicit revenue for the regime in violation of sanctions, and collecting sensitive data. The reliance on sophisticated social engineering (Operation Dream Job) combined with direct supply chain compromise against high-value crypto targets demonstrates sophisticated and adaptive operations.
## Mitigations
- Implement enhanced scrutiny and verification protocols for job applicants sourced via social media platforms like LinkedIn into sensitive roles.
- Utilize robust endpoint detection and response (EDR) capable of detecting known malware like Lumma Stealer, BURNBOOK, MISTPEN, and BADCALL.
- Vigilance against credential harvesting and data exfiltration attempts facilitated by embedded or front company personnel within IT/corporate structures.
- Heightened security focus on cryptocurrency exchanges and service providers globally due to the concentration of theft value ($2.02B in 2025).