Last year was the worst on record for crypto hacks, as North Korean groups cash in

Nearly $4 billion was stolen in cyberattacks on cryptocurrency platforms in 2022, fueled in large part by hackers working on behalf of the North Korean government.

Blockchain research firm Chainalysis found that it was a banner year for hackers targeting cryptocurrency firms, with about $3.8 billion in total stolen from companies in the industry, up from $3.3 billion in 2021.

Most of the attacks centered on decentralized finance (DeFi) platforms – which made up more than four in every five victims in 2022. More than $3.1 billion was stolen from DeFi platforms last year.

Chainalysis researchers told The Record that hackers especially targeted cross-chain bridge protocols – tools that let users port their cryptocurrency from one blockchain to another. Of the $3.1 billion stolen from DeFi platforms, 64% came from cross-chain bridge protocols.

“These events target the sinew between blockchains and DeFi projects, and often, they successfully compromise hundreds of millions of USD equivalent value,” they said.


Chainalysis noted that much of the hacking activity was led by groups associated with the North Korean military, which has prioritized cryptocurrency hacks in an effort to fund their nuclear weapons program.

Hackers with North Korea’s Lazarus Group and others were responsible for $1.7 billion worth of cryptocurrency theft in 2022, shattering their own records. Chainalysis noted that in 2020, the country’s total exports were just $142 million, making the crypto hacks a “sizable chunk of the nation’s economy.”

North Korean groups led the way in their targeting of DeFi platforms, making $1.1 billion off of attacks. The U.S. Treasury has openly accused North Korea of being involved in the $100 million hack of Harmony Bridge and in the theft of about $7.8 million from a cryptocurrency platform called Nomad.

The U.S. government has also previously accused North Korean hackers of orchestrating the headline-grabbing attack on Axie Infinity’s Ronin Network, which saw almost $600 million in cryptocurrency stolen.

Hackers from the country used cryptocurrency mixing service Tornado Cash through much of last year to launder funds, but in August the U.S. Treasury Department sanctioned the company.

The government reissued sanctions on the company in November, accusing the platform of helping North Korean government hackers launder more than $455 million stolen in March 2022.

Following the sanctions, Chainalysis found that North Korean actors began to diversify their use of mixing services. While some funds are still laundered through Tornado Cash, the country’s hackers also use services like Sinbad, a relatively new Bitcoin mixer.

“As we’ve seen in many North Korea-directed hacks, the hackers bridge the stolen funds from the Ethereum blockchain — including a portion of the funds stolen in the Axie Infinity hack — to Bitcoin, then send that Bitcoin to Sinbad,” Chainalysis researchers said. 

In December and January, North Korea-linked hackers sent $24.2 million worth of Bitcoin to Sinbad.

The researchers said there is no indication that cryptocurrency hacks will slow down in 2023. 

“However, over time we hope to see hacking decrease not just as it becomes more difficult to steal funds, but also launder and cash them out, given the transparency of the blockchain,” they said.

“Similar to how our industry came together after the endless hacking of centralized exchanges in 2019, we need to do the same in DeFi. Given the losses and the promise of DeFi as an antidote to some of the shortcomings that lead to the collapse of FTX, I believe we’ll see a great deal of collaboration and progress in this space.”

The report from Chainalysis coincided with a hack on a cryptocurrency platform named BonqDAO, in which $120 million was allegedly stolen.

The company did not respond to requests for comment but confirmed on Twitter that the Bonq protocol had been hacked.

Blockchain research firm PeckShield confirmed to The Record that they believe $98 million worth of the Bonq Euro (BEUR) coin and $11 million in AllianceBlock (ALBT) coin was stolen.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.