- SUMMITS
- NEWS & MEDIA
North Korean hackers stole more than $2 billion in cryptocurrency in 2025, marking a record year for state-backed crypto crime and pushing the country’s all-time haul to $6.75 billion, according to a new report from blockchain analytics firm Chainalysis.
Despite carrying out fewer attacks, the Democratic People’s Republic of Korea (DPRK) was responsible for 76 percent of all major service compromises during the year, highlighting a shift toward larger, more targeted and more sophisticated thefts, the firm said in its 2026 Crypto Crime Report.
Overall, the cryptocurrency industry suffered over $3.4 billion in thefts between January and early December 2025, with a single breach, the $1.5 billion Bybit hack in February, accounting for nearly half of the annual total.
Chainalysis found that North Korean-linked actors increased the value stolen by 51 percent year-on-year, even as the number of confirmed incidents fell sharply. According to the report, DPRK hackers increasingly embed IT workers inside crypto exchanges, custodians and Web3 firms, granting them privileged access that enables large-scale thefts.
More recently, these actors have expanded their tactics by impersonating recruiters, investors and strategic partners, using fake hiring processes and pitch meetings to harvest credentials and internal systems access.
The result is a theft landscape increasingly driven by extreme outliers. Chainalysis noted that the largest hack in 2025 was more than 1,000 times larger than the median incident, a record gap that underscores the escalating severity of individual breaches. The top three hacks alone accounted for 69 percent of all service losses during the year.
The report also provides new insight into how North Korea launders stolen cryptocurrency at scale. Unlike other cybercriminal groups, DPRK-linked actors tend to move funds in smaller on-chain tranches, with more than 60 percent of transfers falling below $500,000, despite stealing far larger total sums.
Chainalysis identified a clear preference for Chinese-language money laundering services, cross-chain bridges and mixing protocols, suggesting deep integration with Asia-Pacific illicit financial networks. DPRK hackers showed significantly higher use of specialised services such as Huione and over-the-counter guarantee platforms, while largely avoiding lending protocols, decentralised exchanges and peer-to-peer marketplaces.
Following major thefts, stolen funds typically move through a structured, multi-wave laundering process lasting around 45 days, beginning with rapid obfuscation through DeFi protocols and mixers, before transitioning toward exchanges and fiat conversion services.
Chainalysis also reported a sharp rise in personal wallet compromises. In 2025, there were an estimated 158,000 wallet theft incidents, affecting at least 80,000 unique victims, nearly double the number recorded in 2022.
However, the total value stolen from individuals fell to $713 million, down from $1.5 billion in 2024. This suggests that attackers are targeting more users but stealing smaller amounts per victim.
Meanwhile, Ethereum and Tron recorded the highest theft rates when adjusted for active wallets, while networks such as Solana and Base showed comparatively lower victimisation rates.
One of the report’s most notable findings is the continued divergence between DeFi total value locked (TVL) and hack losses. While billions of dollars flowed back into decentralised protocols in 2024 and 2025, losses from DeFi hacks remained subdued, breaking from historical patterns.
Chainalysis attributes this shift to improved security practices, stronger monitoring tools and faster incident response. The firm cited the Venus Protocol incident in September 2025 as a case study, where real-time alerts, rapid governance action and protocol pauses prevented losses and ultimately resulted in the full recovery of stolen funds.
A similar report by blockchain analytics firm Elliptic was unveiled a few months back that stated North Korean hackers have stolen more than $2 billion worth of cryptocurrency so far in 2025, their most profitable year on record. The thefts, which researchers say now make up around 13 percent of North Korea’s total gross domestic product (GDP), highlight a growing shift in strategy by regime-linked hacking groups such as Lazarus Group. Rather than focusing exclusively on cryptocurrency exchanges, hackers are increasingly targeting high-net-worth crypto holders, many of whom lack the robust cybersecurity measures used by large organisations.
Recently, South Korean authorities suspected North Korea’s Lazarus Group was behind the hack last month on Upbit, the country’s largest cryptocurrency exchange. According to a Yonhap report, about $30.4 million in cryptocurrencies were stolen through an abnormal withdrawal. The incident is similar to past attacks linked to Lazarus, raising concerns that North Korea continues to use crypto assets to bypass sanctions and fund its regime.
