North Korean hackers steal record $2 billion in crypto in 2025

North Korean hackers steal record $2 billion in crypto in 2025
North Korea shifts to fewer, larger crypto attacks in 2025

​North Korean hackers stole at least $2 billion in cryptocurrency in 2025, marking the highest annual total on record and pushing the country’s cumulative haul to roughly $6.75 billion. 

The figure represents a 51% increase from 2024, despite fewer confirmed incidents, highlighting a clear shift toward fewer but significantly larger attacks, reports CoinDesk.

A major contributor was the $1.4 billion Bybit hack in March, which alone accounted for a substantial share of the year’s losses. Unlike most cybercriminal groups, DPRK-linked actors focus overwhelmingly on large, centralized crypto services rather than individual users. In 2025, they were responsible for 76% of all service-level hacks, the highest proportion ever recorded. The data suggest a strategy centered on maximum impact rather than attack frequency. This approach has made North Korea the dominant threat in high-value crypto breaches.

Sophisticated laundering and reliance on regional networks

The laundering behavior of DPRK-linked hackers differs sharply from that of other crypto criminals. Instead of moving stolen funds in large onchain transfers, they consistently break assets into smaller tranches below $500,000, a tactic aimed at reducing detection risk. Chainalysis found heavy reliance on Chinese-language brokers, guarantee services and over-the-counter networks, alongside extensive use of bridges and mixing services. 

Notably, North Korean groups largely avoid DeFi lending protocols, decentralized exchanges and peer-to-peer platforms that are commonly used by other attackers. These patterns point to structural constraints and dependence on specific regional facilitators rather than broad access to global crypto infrastructure. Chainalysis’ Andrew Fierman said the consistency and scale of these laundering workflows suggest the growing use of automation and AI. Such tools likely help coordinate complex, multi-step laundering operations across assets and chains.

A polarized threat landscape for crypto users and services

Post-hack analysis shows that major North Korean thefts typically follow a roughly 45-day laundering window, moving from rapid obfuscation to gradual integration into cash-out channels. While not universal, this recurring timeline offers valuable intelligence for law enforcement and compliance teams seeking to intercept funds early. At the same time, the broader crypto theft landscape is evolving in a different direction. 

Personal wallet compromises surged in number to about 158,000 incidents in 2025, but accounted for just 20% of total value stolen, down from 44% the year before. The dollar amount taken from individual victims fell 52% to $713 million, indicating smaller losses spread across more users. Together, the data point to a polarized environment, with mass, low-value thefts targeting individuals on one end and rare but catastrophic service-level breaches on the other. North Korea remains firmly at the center of the latter.

Recently we wrote that ​a security expert warned at the Devconnect conference in Buenos Aires that up to 20% of all crypto companies may have North Korean workers involved in their operations.

This material may contain third-party opinions, none of the data and information on this webpage constitutes investment advice according to our Disclaimer. While we adhere to strict Editorial Integrity, this post may contain references to products from our partners.
Weekly Top Bonuses
up to $2,500
deposit bonus for all clients
CLAIM BONUS
Your capital is at risk.