Chainalysis’ 2024 Crypto Crime Report paints a sobering picture of the escalating threat posed by state-sponsored hacking groups. The key takeaway: North Korean-affiliated hackers stole $1.34 billion in cryptocurrency across 47 separate incidents in 2024[reference:2][reference:3]. This represents a 102.88% increase in value stolen compared to 2023, when the group stole $660.50 million across 20 incidents[reference:4].
Total cryptocurrency stolen in 2024 reached $2.2 billion, a 21.07% increase year-over-year[reference:5]. The number of individual hacking incidents rose from 282 in 2023 to 303 in 2024[reference:6]. Notably, the first half of 2024 was particularly intense, with $1.58 billion stolen by July — 84.4% higher than the same period in 2023[reference:7][reference:8]. After July, the pace slowed significantly, possibly due to geopolitical shifts, which we explore later.
APT38 and other North Korean-linked groups were responsible for 61% of all cryptocurrency stolen in 2024[reference:10]. This dominance underscores the group’s increasing sophistication and focus on the crypto sector. The report also notes that attacks between $50 million and $100 million, as well as those exceeding $100 million, occurred far more frequently in 2024 than in 2023, suggesting the group is “getting better and faster at massive exploits”[reference:11].
Chainalysis updates its figures as more illicit addresses are identified. The $1.34 billion figure is a lower-bound estimate — actual stolen amounts may be higher. Always refer to the latest Chainalysis reports for the most current data.
APT38, also known as the Lazarus Group or TraderTraitor, is a North Korean state-sponsored advanced persistent threat (APT) group attributed to the Reconnaissance General Bureau (RGB)[reference:13]. The group’s primary motivation is financial — generating revenue to circumvent international sanctions and fund state programs, including weapons of mass destruction and ballistic missiles[reference:14].
APT38 initially gained notoriety for targeting traditional financial institutions, including the infamous Bangladesh Bank SWIFT heist[reference:15]. In recent years, the group has sharply pivoted to the cryptocurrency sector, recognizing its high liquidity, relative anonymity, and the vulnerabilities present in both decentralized finance (DeFi) and centralized platforms[reference:16].
Chainalysis identified private key compromises as the most exploited vulnerability in 2024, accounting for 43.8% of stolen funds[reference:20][reference:21]. This marks a significant shift from previous years when DeFi smart contract exploits were more common.
While DeFi platforms were the primary targets in prior years, 2024 saw a notable shift toward centralized services in the second and third quarters[reference:22]. Notable breaches include:
APT38 has increasingly used social engineering and supply chain attacks to infiltrate crypto and Web3 companies[reference:27]. North Korean IT workers, using false identities, have been found working as remote contractors at U.S. firms, compromising networks and stealing proprietary information[reference:28]. Chainalysis noted that “some of these events appear to be linked to North Korean IT workers, who have been increasingly infiltrating crypto and web3 companies”.
The group’s malware ecosystem has evolved for cross-platform compatibility (Windows, macOS, Linux), focusing on credential theft and wallet key extraction[reference:30]. Key families include:
After compromising private keys, APT38 employs advanced laundering techniques to obscure transaction trails and convert stolen crypto into fiat currency.
Stolen funds are typically funneled through:
Post-theft, APT38 uses a “flood the zone” tactic for laundering — spreading stolen funds across numerous small transactions and multiple platforms to overwhelm tracking efforts[reference:38].
Understanding these laundering patterns can help investigators and compliance teams flag suspicious activity. For individual users, the takeaway is that once funds are stolen, recovery is extremely difficult.
The scale of APT38’s 2024 thefts has had significant repercussions for the cryptocurrency industry.
The $305 million DMM Bitcoin hack forced the Japanese platform to shut down operations and sell its assets to SBI Group[reference:39]. This illustrates how a single attack can destroy a business. Similarly, the WazirX hack led to the arrest of a suspect in India and raised serious questions about the security of centralized exchanges[reference:40].
The prevalence of North Korean-linked hacks has damaged trust in the crypto industry, particularly among institutional investors and regulators. The fact that 61% of stolen funds in 2024 were attributed to a single state-sponsored group highlights systemic vulnerabilities.
Chainalysis noted a 53.73% drop in daily stolen value after July 2024, which may correlate with North Korea-Russia geopolitical ties following the June summit between Putin and Kim Jong-un[reference:42]. This suggests that geopolitical shifts can directly impact the frequency and scale of crypto heists.
Whether you are an individual investor, a platform operator, or an institutional player, understanding your exposure to APT38-style attacks is critical.
The table below compares APT38 with other notable cryptocurrency threat actors based on 2024 data.
| Threat Actor | Origin | 2024 Theft Amount | Primary Targets | Key Tactic |
|---|---|---|---|---|
| APT38 (Lazarus Group) | North Korea | $1.34 billion | CeFi & DeFi platforms | Private key compromise, social engineering |
| Other North Korean groups | North Korea | Included in $1.34B | Various | Various |
| Ransomware gangs | Global | ~$500 million | Individuals, businesses | Ransomware, extortion |
| Scam operators | Global | ~$400 million | Retail investors | Pig butchering, investment scams |
Note: Figures are estimates based on Chainalysis and other industry reports. Actual amounts may vary.
Use this checklist to assess and improve your security posture against APT38-style threats.
Scenario: CryptoExchange Inc., a medium-sized centralized exchange, notices unusual withdrawal activity from a hot wallet. The activity matches patterns associated with APT38.
Step 1: The security team immediately freezes the affected wallet and halts all withdrawals.
Step 2: They review access logs and discover that an employee's credentials were compromised through a sophisticated phishing attack — a tactic commonly used by North Korean IT workers.
Step 3: The team contacts Chainalysis and law enforcement to trace the stolen funds[reference:47]. They also notify affected users.
Step 4: A post-mortem reveals that the private key for the hot wallet was stored insecurely. The exchange implements multi-signature cold storage for all future operations.
Outcome: While the exchange suffers a financial loss, the rapid response prevents a larger catastrophe. The incident underscores the importance of robust private key management and employee training.
The cryptocurrency ecosystem is a high-value target for sophisticated threat actors like APT38. Loss of funds due to hacking, private key compromise, or platform failure is a real and present danger. This guide is for educational purposes only and does not constitute financial, legal, or security advice.
Before engaging with any cryptocurrency platform or service, consider:
Consult with qualified security and financial professionals for advice tailored to your specific circumstances.