AI vs. DPRK Crypto Theft: Stop Billion-Dollar Drains

A single number should change how every security leader thinks about crypto risk: $2.02 billion. That’s the amount tied to North Korea–linked threat actors stolen in 2025, out of more than $3.4 billion in total crypto theft through early December. One incident—the $1.5 billion Bybit compromise—did most of the damage.

Most companies get this wrong: they treat crypto theft as a “wallet security” problem or a niche Web3 issue. The 2025 data points to something else. This is industrialized cybercrime run like an enterprise, mixing social engineering, IT-worker infiltration, malware, and disciplined money movement. If your defenses are mostly manual—ticket queues, after-the-fact investigations, human-only triage—you’re not “behind.” You’re operating in a different era.

This post is part of our AI in Cybersecurity series, and I’m going to take a stance: AI isn’t optional for defending high-velocity financial systems (crypto exchanges, custodians, fintech rails, and even traditional banks exposed via stablecoins). The attackers have scale, repetition, and time. You need systems that can match that pace.

What the $2.02B figure really tells security teams

Answer first: The big lesson from 2025 is that crypto theft is now a repeatable operation—and repeatable operations are exactly what AI detects best.

Chainalysis reports that DPRK-linked actors accounted for at least $2.02B stolen in 2025, a 51% year-over-year increase, and a record 76% of all service compromises. Cumulatively, the lower-bound estimate of DPRK-linked stolen crypto is now $6.75B.

Two implications matter for enterprises:

1. Service compromise is the main event. Not lost seed phrases. Not one user getting phished. Attackers are compromising the services that move or hold funds.
2. A few outsized incidents dominate losses. When theft concentrates into “whale events,” you need controls that trigger within minutes, not days.

If you’re responsible for security in a crypto-adjacent business, this changes your ROI math. Preventing one catastrophic outflow (or even throttling it) pays for serious modernization.

The attacker playbook isn’t “crypto-specific”—it’s enterprise-grade

North Korea–backed clusters like Lazarus (and the TraderTraitor cluster attributed in reporting around the Bybit incident) don’t win by inventing new blockchain tricks every week. They win by doing classic enterprise intrusion well:

• Social engineering and recruitment lures (for example, job-offer campaigns)
• Malware delivery and credential theft
• Privilege acquisition and lateral movement
• Abuse of legitimate tools and processes
• Monetization via structured laundering

Crypto is the monetization channel. The intrusion methods look a lot like what hits manufacturing, defense, SaaS, and financial services.

The new front door: “Wagemole” and trusted access

Answer first: The fastest way to steal from a service is to become the service—or get someone trusted inside it.

A major theme in 2025 reporting is IT-worker infiltration—North Korea–linked operators placing workers into companies under false identities, sometimes via front companies, to gain access to exchanges, custodians, and Web3 firms. Chainalysis explicitly connects this to the record year, because it accelerates initial access and makes large-scale theft more feasible.

There’s also a visible shift: actors acting as recruiters, approaching freelancers with scripts, asking them to “collaborate,” and pushing them toward credential sharing or remote access tooling. This is modern insider threat: not an employee going rogue, but an access supply chain.

Why this breaks traditional security controls

Most access programs were designed around a simpler assumption: employees are vetted, identities are stable, and privileged access is exceptional.

In an infiltration model:

• Identities are synthetic or borrowed
• Remote work makes “normal” location patterns harder to define manually
• Collaboration tools and contract workflows create legitimate reasons to share access or run remote sessions

AI helps because it can score behavioral consistency across time: how a developer normally authenticates, how their sessions look, what repositories they touch, what systems they never use—until they suddenly do.

Where AI actually stops theft: four control points that matter

Answer first: AI prevents large-scale crypto theft when it’s applied to (1) identity and access, (2) endpoint behavior, (3) transaction anomaly detection, and (4) automated response.

Teams often deploy “AI security” where it’s easiest—alert summarization, chatbot interfaces, prettier dashboards. Useful, but not sufficient. To stop billion-dollar drains, focus AI on the controls that constrain the attacker’s sequence.

1) AI for identity risk: catching infiltration and account takeover

Start with the assumption that attackers will pursue privileged access.

Practical AI detections that work:

• Impossible behavior, not impossible travel: sudden changes in typing cadence, session tooling, shell command patterns, or IDE usage
• Authentication graph anomalies: a user who rarely touches production suddenly requests secrets, modifies signing policies, or accesses withdrawal systems
• Peer group outliers: a contractor behaving unlike other contractors in the same role (time-of-day, systems accessed, code paths)

If you’re running PAM, IAM, or SSO, the goal is a single question answered continuously: “Is this identity acting like itself?”

2) AI on endpoints: detecting stealer malware and tool misuse

The reporting connects real-world investigations to infostealers and compromised machines in the broader ecosystem. Stealers matter because they convert one infection into many downstream compromises.

AI-driven endpoint analytics can catch:

• New credential dumping patterns
• Unusual browser data access and exfil behavior
• Remote control tool chains that don’t match the org’s IT practices
• Process trees consistent with infostealer staging

This is especially relevant in crypto operations where a single admin workstation can become the pivot into signing infrastructure.

3) AI for transaction anomaly detection: slowing or freezing the outflow

This is the bridge point most people miss: even if an attacker gets in, you can still stop the money from leaving.

AI-powered fraud and anomaly models can score withdrawals and transfers using features like:

• Destination novelty (never-before-seen addresses, clusters, or cross-chain routes)
• Withdrawal velocity (spikes in frequency, size, or batching)
• Behavioral mismatch (admin actions preceding unusual withdrawals)
• Cross-chain bridge usage patterns inconsistent with customer behavior

Done well, this enables risk-based step-up controls:

• Add human approval only when the model flags high risk
• Temporarily throttle withdrawal limits
• Require hardware re-attestation or re-signing ceremonies

Your objective isn’t “never alert.” It’s buy time during the first minutes of a heist.

4) AI in security operations: real-time containment instead of post-mortems

The laundering pathways described in reporting are structured across waves and time windows. Attackers rely on defenders being slow.

AI-enabled SOC workflows can:

• Correlate weak signals across IAM + endpoint + transaction systems
• Auto-generate incident timelines that analysts can act on immediately
• Trigger playbooks: revoke sessions, rotate keys, suspend withdrawals, isolate hosts

Automation is the difference between “we noticed” and “we stopped it.”

Money laundering moves fast—your detection has to be faster

Answer first: The laundering pipeline is predictable enough to model, and AI can spot it early—if you instrument for it.

The reporting describes multi-wave laundering over roughly 45 days, including immediate layering via DeFi and mixing, shifting through exchanges and cross-chain bridges, and final integration into fiat or other assets.

Security teams should treat laundering indicators as part of detection engineering, not only compliance:

• Entity and cluster risk scoring (addresses, services, OTC patterns)
• Bridge and mixer interaction heuristics tuned to your customer base
• Graph-based anomaly detection to identify “burst” dispersal patterns

A hard truth: if your monitoring stops at “withdrawal succeeded,” you’re blind during the most actionable window.

A practical AI-driven defense plan (what to do in the next 30 days)

Answer first: You don’t need a moonshot program—start by connecting identity, endpoint, and transaction signals into one response loop.

Here’s what works when you want measurable risk reduction fast.

Week 1: Reduce your blast radius

• Inventory who can initiate or approve withdrawals, signing policy changes, and key/secret access
• Enforce least privilege and time-bound access for sensitive actions
• Add mandatory multi-party approval for high-value or unusual transactions

Week 2: Instrument for AI detection

• Centralize logs from SSO/IAM, endpoints, privileged access, and transaction systems
• Define “normal” baselines by role (ops, engineers, support, contractors)
• Tag high-risk actions (new address allowlisting, withdrawal limit changes, signing policy edits)

Week 3: Deploy models where they matter

• Identity behavior analytics for privileged users
• Endpoint anomaly detection tuned to credential theft and remote tooling
• Transaction anomaly scoring that triggers step-up controls

Week 4: Automate the first 10 minutes

Create playbooks that run automatically when risk thresholds are met:

1. Suspend withdrawals or throttle limits
2. Revoke active sessions and rotate privileged credentials
3. Isolate suspected hosts
4. Trigger an incident bridge with a prebuilt timeline and affected entities

If you can’t do all four, start with withdrawal throttling + session revocation. That combo alone changes outcomes.

Snippet-worthy rule: If an attacker needs 5 minutes to drain funds, your response can’t take 50 minutes to coordinate.

What leaders should ask vendors (and internal teams) about “AI security”

Answer first: If AI can’t reduce time-to-detect and time-to-contain for a real heist scenario, it’s not solving the right problem.

Use these questions to separate substance from slides:

• “Show me how your system correlates identity + endpoint + transaction signals in one incident.”
• “What’s the automated action when risk spikes—do we get an alert, or do we get containment?”
• “How do you handle contractors and remote workers without drowning us in false positives?”
• “Can we implement risk-based step-up controls without blocking legitimate customer flows?”
• “What’s your proof you can detect insider-like behavior from infiltrated IT workers?”

If the answer is mostly about dashboards and summaries, keep looking.

Where this heads next for AI in cybersecurity

The 2025 DPRK-linked theft totals aren’t just a crypto headline. They’re a stress test for every organization that moves value digitally: speed wins. Attackers are combining human deception with operational discipline, then laundering through complex ecosystems that punish slow response.

AI in cybersecurity earns its keep when it does three things at once: detects anomalies early, attributes patterns across systems, and triggers real containment. That’s how you stop a catastrophic incident from becoming a year-defining statistic.

If you’re responsible for security in a financial platform, exchange, custodian, or enterprise with crypto exposure, the most useful question to end on is simple: If a Bybit-scale outflow started in your environment at 2:00 a.m., what would happen in the first five minutes—alerts, or action?