Rising blockchain adoption and higher digital asset prices have coincided with a sharp escalation in DPRK crypto theft, reshaping global risk across centralized services, DeFi, and personal wallets.
Over $3.4 billion stolen in 2025 as crypto theft shifts
According to a new report by Chainalysis, the crypto sector saw more than $3.4 billion stolen between January and early December 2025, with the Bybit breach in February alone responsible for $1.5 billion. However, behind this headline figure, the structure of crypto crime has changed markedly across just three years.
Moreover, personal wallet compromises have surged as a share of overall theft. They rose from 7.3% of stolen value in 2022 to 44% in 2024. In 2025, they would have accounted for 37% of total losses if the Bybit compromise had not so heavily distorted the data.
Centralized services, despite deep resources and professional security teams, continue to suffer increasingly large losses driven by private key compromises. While such incidents occur infrequently, they remain devastating. In Q1 2025, they represented 88% of all losses, underscoring the systemic risk created by single points of failure.
That said, the persistence of high theft volumes shows that despite better practices in some segments, attackers can still exploit weaknesses across multiple vectors and platforms.
Outlier mega-hacks dominate crypto theft
Crypto theft has always skewed toward a handful of outsized breaches, but 2025 set a new extreme. For the first time, the ratio between the largest hack and the median incident surpassed 1,000x, based on the U.S. dollar value of funds at the time of theft.
As a result, the top three hacks in 2025 accounted for 69% of all service losses. While incident counts and median losses tend to move with asset prices, the scale of individual outliers is rising even faster. This concentration risk means that a single compromise can now reshape annual loss statistics for the entire industry.
North Korea leads global crypto theft landscape
The Democratic People’s Republic of Korea (DPRK) remains the most consequential nation-state actor in digital asset crime. In 2025, North Korean hackers stole at least $2.02 billion worth of cryptocurrency, an increase of $681 million over 2024 and a 51% year-over-year rise in value taken.
These operations made 2025 the worst year on record for DPRK-linked theft by value. Moreover, DPRK attacks represented a record 76% of all service compromises, pushing the lower-bound cumulative total stolen by Pyongyang-linked actors to $6.75 billion. Notably, this record haul came despite an assessed sharp reduction in confirmed incidents.
North Korean operators increasingly exploit one of their core vectors: embedding IT workers inside exchanges, custodians, and web3 companies.
Once inside, these workers can cultivate privileged access, ease lateral movement, and eventually orchestrate large-scale thefts. The Bybit attack in February 2025 likely amplified the impact of this infiltration model.
However, DPRK-linked groups have also adapted their social engineering tactics. Rather than simply applying for jobs, they now frequently impersonate recruiters for prominent web3 and AI firms, staging elaborate fake hiring processes. These often end with “technical screens” that trick targets into handing over credentials, source code, or VPN and SSO access to their current employers.
At the executive level, similar social engineering campaigns feature bogus outreach from supposed strategic investors or acquirers.
Pitch meetings and pseudo–due diligence processes are used to probe for sensitive system details and map access paths into high-value infrastructure. This evolution builds directly on earlier IT worker fraud schemes and highlights a tighter focus on strategically important AI and blockchain businesses.
Throughout 2022–2025, DPRK-attributed hacks consistently occupy the highest value bands, while non–nation-state actors show more normal distributions across incident sizes. That pattern indicates that when North Korea strikes, it prefers large centralized services and aims for maximum financial and political impact.
One striking feature of 2025 is that this record total was achieved with far fewer known operations.
The enormous Bybit breach appears to have allowed DPRK-linked groups to execute a small number of extremely lucrative attacks instead of a larger volume of mid-sized compromises.
Distinctive DPRK cryptocurrency laundering patterns
The unprecedented influx of stolen assets in early 2025 provided unusually clear visibility into how Pyongyang-linked actors move funds at scale. Their cryptocurrency laundering patterns are significantly different from those of other criminal groups and continue to evolve over time.
DPRK outflows show a distinctive bracketing structure. Slightly over 60% of volume travels in transfers below $500,000, whereas other stolen fund actors send more than 60% of their flows on-chain in tranches between $1 million and $10 million+.
Despite typically stealing larger totals, DPRK groups break payments into smaller segments, suggesting a deliberate attempt to evade detection through more sophisticated structuring.
Furthermore, DPRK actors consistently favor specific laundering touchpoints.
They rely heavily on Chinese-language money movement and guarantee services, often operating through loosely connected networks of professional launderers whose compliance standards can be weak. They also make extensive use of cross-chain bridge and mixing services, along with specialized providers such as Huione, to increase obfuscation and jurisdictional complexity.
By contrast, many other criminal groups prefer lending protocols, no-KYC exchanges, P2P platforms, and decentralized exchanges for liquidity and pseudonymity. DPRK entities show limited integration with these areas of DeFi, underlining that their constraints and objectives differ from those of typical financially motivated cybercriminals.
These preferences indicate that DPRK networks are tightly linked with illicit operators across the Asia-Pacific region, especially in China-based channels that provide indirect access to the global financial system. This matches Pyongyang’s wider history of using Chinese intermediaries to sidestep sanctions and move value offshore.
The 45-day laundering cycle after DPRK crypo theft
On-chain analysis of DPRK-linked thefts between 2022 and 2025 reveals a relatively stable, multi-wave laundering cycle lasting around 45 days. While not all operations follow this timeline, it appears repeatedly when stolen funds are actively moved.
Wave 1, spanning days 0 to 5, focuses on immediate layering. DeFi protocols see intense spikes in stolen fund flows as initial entry points, while mixing services record large volume jumps to create the first layer of obfuscation. This flurry of movement is designed to push funds away from easily identified source addresses.
Wave 2, covering days 6 to 10, marks the start of integration into the broader ecosystem. Exchanges with limited KYC controls, some centralized platforms, and secondary mixers begin to receive flows, often facilitated by cross-chain bridges that fragment and complicate transaction trails. This phase is critical, as funds transition toward potential off-ramps.
Wave 3, running from days 20 to 45, features the long tail of integration. No-KYC exchanges, instant swap services, and Chinese-language laundering services emerge as major endpoints. Centralized exchanges also increasingly receive deposits, reflecting efforts to blend illicit proceeds with legitimate trade flows, often through operators in less regulated jurisdictions.
This broad 45-day window provides valuable intelligence for law enforcement and compliance teams seeking to disrupt flows in real time. However, analysts note important blind spots: private key transfers, certain OTC crypto-for-fiat deals, or fully off-chain arrangements can remain invisible unless paired with additional intelligence.
Personal wallet compromises surge in volume
Alongside high-profile service breaches, attacks on individuals have escalated sharply. Lower-bound estimates show that personal wallet compromises represented about 20% of total value stolen in 2025, down from 44% in 2024, yet still reflecting large-scale damage.
Incident counts nearly tripled from 54,000 in 2022 to 158,000 in 2025. Over the same period, the number of unique victims doubled from roughly 40,000 to at least 80,000. These increases likely mirror broader user adoption of self-custodied assets. For example, Solana, one of the chains with the most active personal wallets, recorded about 26,500 affected users, far more than other networks.
However, the total dollar value lost by individuals fell from $1.5 billion in 2024 to $713 million in 2025. This suggests attackers are spreading efforts across many more victims while extracting smaller sums per account, potentially to reduce detection risk and exploit less sophisticated users.
Network-level crime metrics illuminate which chains currently present the greatest user risk. In 2025, when measuring theft per 100,000 wallets, Ethereum and Tron show the highest crime rates. Ethereum’s vast scale combines high incident counts with elevated per-wallet risk, whereas Tron displays a relatively high theft rate despite a smaller active base. By contrast, Base and Solana show lower rates even though their user communities are sizable.
These differences indicate that personal wallet compromises are not evenly distributed across the ecosystem. Factors such as user demographics, dominant application types, local criminal infrastructure, and education levels likely influence where scammers and malware operators focus their efforts.
DeFi hacks diverge from total value locked trends
The decentralized finance sector exhibits a notable divergence between market growth and security outcomes. Data from 2020 through 2025 confirm three clear phases in the relationship between DeFi total value locked (TVL) and hack-related losses.
In Phase 1, from 2020 to 2021, TVL and losses rose in tandem as the early DeFi boom attracted both capital and sophisticated attackers. Phase 2, covering 2022 to 2023, saw both TVL and losses retreat as markets cooled. However, Phase 3, spanning 2024 and 2025, marks a structural break: TVL has recovered from 2023 lows, but hack volumes remain comparatively subdued.
This divergence implies that defi security improvements are starting to have measurable effect. Moreover, the simultaneous rise of personal wallet attacks and centralized exchange hacks hints at target substitution, with threat actors shifting resources toward areas perceived as easier to compromise.
Case study: Venus Protocol highlights defensive progress
The Venus Protocol incident in September 2025 underscores how layered defenses can meaningfully change outcomes. Attackers used a compromised Zoom client to gain a foothold and manipulated a user into granting delegate control over an account holding $13 million in assets.
Under earlier DeFi conditions, such access might have resulted in irreversible losses. However, Venus had integrated a security monitoring platform only a month earlier. That platform flagged suspicious activity roughly 18 hours before the attack and issued another alert when the malicious transaction was submitted.
Within 20 minutes, Venus paused its protocol, halting fund movements. Partial functionality returned after around 5 hours, and within 7 hours the protocol forcibly liquidated the attacker’s wallet. By the 12-hour mark, all stolen funds had been recovered and normal operations resumed.
In a further step, Venus governance approved a proposal to freeze approximately $3 million in assets still under the attacker’s control. The adversary ultimately failed to profit and instead incurred net losses, showcasing the growing power of on-chain governance, monitoring, and incident response frameworks.
That said, this case should not breed complacency. It demonstrates what is possible when protocols invest early in monitoring and rehearsed playbooks, but many DeFi platforms still lack comparable capabilities or clear contingency plans.
Implications for 2026 and the future threat environment
The 2025 data portray a highly adaptive DPRK ecosystem, in which fewer operations can still deliver record outcomes. The Bybit incident, combined with other large-scale compromises, shows how one successful campaign can sustain funding needs for extended periods while groups focus on laundering and operational security.
Moreover, the unique profile of dprk crypto theft relative to other illicit activity offers valuable detection opportunities. Their preference for specific transfer sizes, heavy reliance on certain Chinese-language networks, and characteristic 45-day laundering cycle can help exchanges, analytics firms, and regulators flag suspicious behavior earlier.
As North Korea crypto hackers continue to use digital assets to finance state priorities and circumvent sanctions, the industry must accept that this adversary operates under different incentives than ordinary financially motivated criminals. The regime’s record-breaking 2025 performance, achieved with an estimated 74% fewer known attacks, suggests that many operations may still be going undetected.
Looking ahead to 2026, the central challenge will be to identify and disrupt these high-impact operations before another Bybit-scale breach occurs. Strengthening controls at centralized venues, hardening personal wallets, and deepening cooperation with law enforcement will be critical to containing both nation-state campaigns and the broader wave of crypto crime.
In summary, 2025 confirmed that while defenses are improving in areas like DeFi, sophisticated actors such as DPRK and large-scale wallet thieves continue to exploit structural weaknesses, making coordinated global responses more urgent than ever.
Source: https://en.cryptonomist.ch/2025/12/19/dprk-crypto-theft-2025/
