2025 Was a Record Year for North Korea’s Crypto Heists

The crypto industry experienced a major escalation in global cryptocurrency theft in 2025, with losses exceeding $3.4 billion between January and early December, according to a new report from Chainalysis.

The surge was largely driven by North Korea-linked hackers, who were responsible for the majority of stolen funds during the year.

Inside North Korea’s Record $2 Billion Crypto Theft

In its latest report, blockchain analytics firm Chainalysis pointed out that there was a significant decline in the Democratic People’s Republic of Korea’s (DPRK) attack frequency. Still, they achieved a record-breaking year in terms of cryptocurrency theft.

Sponsored

Sponsored

North Korean hackers stole at least $2.02 billion in digital assets in 2025. This marked a 51% year-over-year increase. Compared with 2020 levels, the amount represents a surge of approximately 570%.

“This year’s record haul came from significantly fewer known incidents. This shift — fewer incidents yielding far greater returns — reflects the impact of the massive Bybit hack in March 2025,” Chainalysis noted.

Furthermore, the report revealed that DPRK-linked actors were responsible for a record 76% of all service compromises during the year.

Taken together, the 2025 figures push the lower-bound cumulative estimate of cryptocurrency funds stolen by North Korea to $6.75 billion.

“This evolution is a continuation of a long-term trend. North Korea’s hackers have long demonstrated a high degree of sophistication, and their operations in 2025 highlights that they are continuing to evolve both their tactics and their preferred targets,” Andrew Fierman, Chainalysis Head of National Security Intelligence, told BeInCrypto.

Drawing on historical data, Chainalysis determined that the DPRK continues to carry out significantly higher-value attacks than other threat actors. 

“This pattern reinforces that when North Korean hackers strike, they target large services and aim for maximum impact,” the report reads.

According to Chainalysis, North Korea-linked hackers are increasingly generating outsized results by placing operatives in technical roles within crypto-related companies. This approach, one of the principal attack vectors, enables threat actors to gain privileged access and execute more damaging intrusions.

In July, blockchain investigator ZachXBT published an exposé claiming that North Korea-linked operatives infiltrated between 345 and 920 jobs across the crypto industry.

Sponsored

Sponsored

“Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and web3 firms, which can accelerate initial access and lateral movement ahead of large‑scale theft,” the report stated.

Threat actors have also adopted recruitment-style tactics, posing as employers to target individuals already working in the sector.

Furthermore, BeInCrypto recently reported that hackers were impersonating trusted industry contacts in fake Zoom and Microsoft Teams meetings. Using this tactic, they stole more than $300 million.

“DPRK will always seek to identify new attack vectors, and areas where vulnerabilities exist to exploit funds. Combine that with the regimes’ lack of access to the global economy, and you end up with a motivated, sophisticated nation state threat that seeks to gain as much capital for the regime as possible. As a result, private key compromises of centralized services have driven significant proportions of exploit volume this year,” Fierman detailed.

Chainalysis Maps a 45-Day Laundering Playbook Used by North Korean Hackers

Chainalysis found that North Korea’s laundering behavior differs sharply from that of other groups. The report showed that DPRK-linked actors tend to launder money in smaller on-chain tranches, with just over 60% of volume concentrated below a $500,000 transfer value. 

By contrast, non-DPRK threat actors typically transfer 60% of stolen funds in much larger batches, often ranging from $1 million to more than $10 million. Chainalysis said this structure reflects a more deliberate and sophisticated approach to laundering, despite North Korea stealing larger overall amounts.

Sponsored

Sponsored

The firm also identified clear differences in service usage. DPRK-linked hackers show a strong reliance on Chinese-language money movement and guarantee services, as well as bridge and mixing tools designed to obscure transaction trails. They also utilize specialized platforms, such as Huione, to facilitate their laundering operations.

In contrast, other stolen-fund actors more frequently interact with decentralized exchanges, centralized platforms, peer-to-peer services, and lending protocols.

“These patterns suggest that the DPRK operates under different constraints and objectives than those of non-state-backed cybercriminals. Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests that DPRK threat actors are tightly integrated with illicit actors across the Asia-Pacific region, and is consistent with Pyongyang’s historical use of China-based networks to gain access to the international financial system,” the firm mentioned.

Chainalysis also observed a recurring laundering pattern that typically unfolds over 45 days. In the days immediately after a hack (Days 0-5), North Korea-linked actors prioritize distancing the stolen funds from the source. The report noted a sharp increase in the use of DeFi protocols and mixing services during this initial period.

In the second week (Days 6-10), activity shifts toward services that enable broader integration. Flows begin reaching centralized exchanges and platforms with limited KYC requirements.

Laundering activity persists through secondary mixing services at a reduced intensity. Meanwhile, cross-chain bridges are used to obscure movement. 

“This phase represents the critical transitional period where funds begin moving toward potential off-ramps,” the firm remarked.

In the final phase (Days 20-45), there is increased interaction with services that facilitate conversion or cash-out. No-KYC exchanges, guarantee services, instant swap platforms, and Chinese-language services feature prominently, alongside renewed use of centralized exchanges to blend illicit funds with legitimate activity.

Sponsored

Sponsored

Chainalysis emphasized that the recurring 45-day laundering window provides key insights for law enforcement. It also reflects the hackers’ operational constraints and reliance on specific facilitators. 

“North Korea executes a quick, and effective laundering strategy. Therefore, a quick, whole of industry response is required in response. Law enforcement, and private sector, from exchanges to blockchain analytics firms need to coordinate effectively to disrupt any funds as soon as an opportunity exists, whether as funds pass through stablecoins, or reach an exchange where funds can be frozen immediately,” Fierman commented.

While not all stolen funds follow this timeline, the pattern represents typical on-chain behavior. Still, the team acknowledged potential blind spots, as certain activities, such as private key transfers or off-chain OTC transactions, may not be visible through blockchain data alone without corroborative intelligence.

The 2026 Outlook

Chainalysis’ Head of National Security Intelligence disclosed to BeInCrypto that North Korea is likely to probe for any available vulnerability. While the Bybit, BTCTurk, and Upbit incidents this year suggest that centralized exchanges are facing increasing pressure, tactics could change at any time.

Recent exploits involving Balancer and Yearn also indicate that long-established protocols may be coming under the radar of attackers. He said,

“While we can’t say what’s in store for 2026, we do know DPRK will look to maximize return on their target – meaning services with high reserves need to maintain high security standards to ensure they don’t become the next exploit.”

The report also stressed that as North Korea increasingly relies on cryptocurrency theft to finance state priorities and evade international sanctions, the industry must recognize that this threat actor operates under a fundamentally different set of constraints and incentives than typical cybercriminals.

“The country’s record-breaking 2025 performance — achieved with 74% fewer known attacks — suggests we may be seeing only the most visible portion of its activities,” Chainalysis added.

The firm outlined that the key challenge heading into 2026 will be identifying and disrupting these high-impact operations before DPRK-linked actors can execute another incident on the scale of the Bybit hack.