2025 Sees Record $3.4 Billion in Cryptocurrency Thefts, Led by North Korean Hackers
December 18, 2025 — Chainalysis Team
The cryptocurrency industry faced a turbulent 2025, with thefts escalating to a record-breaking $3.4 billion over the year. A major contributor to this surge was the Democratic People’s Republic of Korea (DPRK), whose cyber operations accounted for over $2 billion of stolen assets — a 51% increase from 2024 — and pushed their cumulative crypto thefts to nearly $6.75 billion.
Rising Threats and Shifting Patterns in Crypto Crime
The cryptocurrency ecosystem continues to grapple with complex cyber threats that have evolved in scale and sophistication. Key takeaways from Chainalysis’s 2026 Crypto Crime Report highlight four critical trends shaping the security landscape:
- Dominance of North Korean Hackers: Despite fewer confirmed attacks, DPRK-linked actors extracted higher-value hauls, specializing in penetrating centralized exchange and crypto services through embedded IT worker infiltrations and elaborate social engineering.
- Concentration of Large-Scale Hacks: The top three largest hacks of 2025 alone accounted for 69% of all service-related losses, illustrating the outsized impact of a small number of devastating breaches.
- Increasing Personal Wallet Compromises: Wallet hacks surged to 158,000 cases affecting over 80,000 victims in 2025, but with an overall decrease in stolen value compared to 2024.
- Divergences in DeFi Security: Though decentralized finance platforms grew and attracted more liquidity, hack-related losses remained relatively suppressed, signifying modest security improvements.
Bybit Hack Drives Up 2025 Theft Totals
One of the most notable incidents was the February compromise of Bybit, responsible for a staggering $1.5 billion loss. This single event substantially influenced the year’s total theft value and showcased the vulnerabilities centralized exchanges face, despite professional security resources.
Centralized services increasingly suffer from private key compromises — while these events are infrequent, their scale dwarfs other theft vectors, making up 88% of losses in the first quarter of 2025 alone.
The Growing Divide Between Median and Massive Hacks
An emerging pattern in 2025 saw the largest hacks being more than 1,000 times larger than the median hack amount for the first time. This reflects an alarming concentration of risk: relatively few breaches cause enormous damage, intensifying the necessity for heightened security measures at large-scale platforms.
North Korea’s Increasingly Sophisticated Tactics
North Korea remains the leading nation-state adversary in the crypto domain. Their operations in 2025 demonstrate a shift toward fewer but more impactful thefts. These advances often involve:
-
Embedding IT Workers: DPRK actors have historically placed insiders within crypto firms to gain privileged access. This tactic enables complex, large-scale breaches.
-
Recruitment Impersonation Schemes: Recently, North Korean hackers began impersonating recruiters for well-known Web3 and AI companies, setting up fake hiring pipelines to lure targets into divulging credentials, codebases, and secure system access. Executive-level social engineering also escalates in sophistication, including fake strategic investor contacts to extract sensitive business information.
This approach highlights the DPRK’s strategic targeting of high-value firms involved in blockchain and artificial intelligence sectors and extends previous infiltration methodologies.
Distinctive Money Laundering Patterns
Following thefts, DPRK-linked actors employ unique laundering techniques distinguishing them from other cybercriminal groups:
-
They distribute stolen funds in smaller transaction tranches, with over 60% of transfers under $500,000, in contrast to other groups that move larger sums in single transactions.
-
Heavy reliance on Chinese-language money laundering and guarantee services (increasing activity by up to 1000%), alongside widespread use of cross-chain bridges and mixing protocols to frustrate traceability.
-
Strategic avoidance of certain decentralized finance (DeFi) services such as lending protocols, KYC-free exchanges, and peer-to-peer platforms, which other non-state threat actors commonly exploit.
This laundering network ties closely to China-based illicit financial operators, aligning with North Korea’s established dependence on Asia-Pacific actors to navigate global financial systems.
Structured Laundering Timeline Post-Hack
Analysis reveals DPRK stolen funds undergo a systematic laundering sequence over roughly 45 days following a major theft:
- Wave 1 (Days 0-5): Immediate layering starts straight after the breach to obfuscate trails.
- Subsequent Waves: Funds move through multiple intermediaries and services employing complex mechanisms aimed at evading detection and ultimate conversion to cash or other assets.
Personal Wallet Attacks and DeFi Security
Individual wallet compromises sharply increased in 2025, totaling 158,000 incidents—a significant rise in victim count—but the value stolen dropped to $713 million from 2024’s higher numbers. This could reflect enhanced user awareness and better personal security practices.
Meanwhile, despite increased Total Value Locked (TVL) in DeFi platforms during 2024 and 2025, losses from DeFi hacks remained low, suggesting that collective improvements in smart contract audits and security measures are beginning to curb exploit risks.
Looking Forward
This year’s data underscores the complex and evolving threat landscape cryptocurrency users and service providers face. The disproportionate impact of large breaches, combined with state-backed actors’ increasing sophistication, calls for continuous enhancements to security standards across the ecosystem.
Chainalysis will continue monitoring these trends, with its full 2026 Crypto Crime Report available for reserve. As digital asset adoption grows, understanding and mitigating these threats remains paramount to safeguarding the industry’s future.
For full details and to reserve the 2026 Crypto Crime Report, visit Chainalysis official site.