North Korean hackers stole more than $2bn in cryptocurrency in 2025, marking a record year for state-linked crypto crime and pushing Pyongyang’s cumulative haul to at least $6.75bn, Chainalysis reported.
North Korean Hackers Steal $2bn in Record Crypto Theft Year: Chainalysis
The findings show that while the number of confirmed attacks linked to the Democratic People’s Republic of Korea fell sharply, the scale of individual incidents surged, with fewer but far more damaging breaches dominating the year.
Overall, more than $3.4bn was stolen across the crypto ecosystem in 2025, driven by a handful of extreme outliers, the blockchain intelligence service said, citing its own data analysis.
Losses were heavily concentrated. Chainalysis estimated that the three largest hacks accounted for 69% of losses, with the gap between the biggest attack and a typical incident now exceeding 1,000 times, a record disparity for the sector.
Bigger hits, fewer attacks
North Korea alone was responsible for at least $2.02bn of stolen funds in 2025, up 51% from the previous year, despite a steep drop in the number of known DPRK-linked incidents.
Chainalysis said this reflects a shift toward higher-impact operations, often enabled by long-running infiltration of crypto firms through fake IT workers or increasingly sophisticated executive-level impersonation schemes.
These attacks disproportionately targeted centralised services, where private-key compromises remain rare but catastrophic when they occur.
In the first quarter of the year, such incidents accounted for nearly all stolen funds, underscoring how a single breach can reshape annual crime statistics.
One notable exception to the rising-loss trend was decentralised finance. Despite a recovery in total value locked across DeFi protocols, hack losses remained subdued in 2024 and 2025, pointing to improved security practices and faster incident response.
Chainalysis said the contrast highlights a shifting threat landscape going into 2026, with state-backed actors focusing on fewer, high-impact operations while the industry races to harden defences against breaches that can move the needle by billions in a single strike.
Distinctive laundering playbook
Chainalysis said DPRK-linked actors continue to follow a distinctive laundering pattern, typically spreading funds in smaller tranches and relying heavily on Chinese-language money-movement services, cross-chain bridges and mixing protocols.
Large thefts are usually laundered over a roughly 45-day window, offering investigators a narrow but critical opportunity to intervene, Chainalysis found.
At the same time, personal wallet compromises surged to an estimated 158,000 incidents affecting at least 80,000 victims, even as the total value stolen from individuals fell to about $713mn.