The crypto industry experienced a major escalation in global cryptocurrency theft in 2025, with losses exceeding $3.4 billion between January and early December, according to a new report from Chainalysis.
The surge was largely driven by North Korea-linked hackers, who were responsible for the majority of stolen funds during the year.
Inside North Korea’s Record $2 Billion Crypto Theft
In its latest report, blockchain analytics firm Chainalysis pointed out that there was a significant decline in the Democratic People’s Republic of Korea’s (DPRK) attack frequency. Still, they achieved a record-breaking year in terms of cryptocurrency theft.
Sponsored
Sponsored
North Korean hackers stole at least $2.02 billion in digital assets in 2025. This marked a 51% year-over-year increase. Compared with 2020 levels, the amount represents a surge of approximately 570%.
Furthermore, the report revealed that DPRK-linked actors were responsible for a record 76% of all service compromises during the year.
Taken together, the 2025 figures push the lower-bound cumulative estimate of cryptocurrency funds stolen by North Korea to $6.75 billion.
Drawing on historical data, Chainalysis determined that the DPRK continues to carry out significantly higher-value attacks than other threat actors.
DRPK vs Other Hackers. Source: ChainalysisAccording to Chainalysis, North Korea-linked hackers are increasingly generating outsized results by placing operatives in technical roles within crypto-related companies. This approach, one of the principal attack vectors, enables threat actors to gain privileged access and execute more damaging intrusions.
In July, blockchain investigator ZachXBT published an exposé claiming that North Korea-linked operatives infiltrated between 345 and 920 jobs across the crypto industry.
Sponsored
Sponsored
Threat actors have also adopted recruitment-style tactics, posing as employers to target individuals already working in the sector.
Furthermore, BeInCrypto recently reported that hackers were impersonating trusted industry contacts in fake Zoom and Microsoft Teams meetings. Using this tactic, they stole more than $300 million.
Chainalysis Maps a 45-Day Laundering Playbook Used by North Korean Hackers
Chainalysis found that North Korea’s laundering behavior differs sharply from that of other groups. The report showed that DPRK-linked actors tend to launder money in smaller on-chain tranches, with just over 60% of volume concentrated below a $500,000 transfer value.
By contrast, non-DPRK threat actors typically transfer 60% of stolen funds in much larger batches, often ranging from $1 million to more than $10 million. Chainalysis said this structure reflects a more deliberate and sophisticated approach to laundering, despite North Korea stealing larger overall amounts.
Sponsored
Sponsored
The firm also identified clear differences in service usage. DPRK-linked hackers show a strong reliance on Chinese-language money movement and guarantee services, as well as bridge and mixing tools designed to obscure transaction trails. They also utilize specialized platforms, such as Huione, to facilitate their laundering operations.
In contrast, other stolen-fund actors more frequently interact with decentralized exchanges, centralized platforms, peer-to-peer services, and lending protocols.
Chainalysis also observed a recurring laundering pattern that typically unfolds over 45 days. In the days immediately after a hack (Days 0-5), North Korea-linked actors prioritize distancing the stolen funds from the source. The report noted a sharp increase in the use of DeFi protocols and mixing services during this initial period.
In the second week (Days 6-10), activity shifts toward services that enable broader integration. Flows begin reaching centralized exchanges and platforms with limited KYC requirements.
Laundering activity persists through secondary mixing services at a reduced intensity. Meanwhile, cross-chain bridges are used to obscure movement.
In the final phase (Days 20-45), there is increased interaction with services that facilitate conversion or cash-out. No-KYC exchanges, guarantee services, instant swap platforms, and Chinese-language services feature prominently, alongside renewed use of centralized exchanges to blend illicit funds with legitimate activity.
Sponsored
Sponsored
Chainalysis emphasized that the recurring 45-day laundering window provides key insights for law enforcement. It also reflects the hackers’ operational constraints and reliance on specific facilitators.
While not all stolen funds follow this timeline, the pattern represents typical on-chain behavior. Still, the team acknowledged potential blind spots, as certain activities, such as private key transfers or off-chain OTC transactions, may not be visible through blockchain data alone without corroborative intelligence.
The 2026 Outlook
Chainalysis’ Head of National Security Intelligence disclosed to BeInCrypto that North Korea is likely to probe for any available vulnerability. While the Bybit, BTCTurk, and Upbit incidents this year suggest that centralized exchanges are facing increasing pressure, tactics could change at any time.
Recent exploits involving Balancer and Yearn also indicate that long-established protocols may be coming under the radar of attackers. He said,
The report also stressed that as North Korea increasingly relies on cryptocurrency theft to finance state priorities and evade international sanctions, the industry must recognize that this threat actor operates under a fundamentally different set of constraints and incentives than typical cybercriminals.
The firm outlined that the key challenge heading into 2026 will be identifying and disrupting these high-impact operations before DPRK-linked actors can execute another incident on the scale of the Bybit hack.
Source: https://beincrypto.com/north-korea-crypto-theft-2025/
