According to a new report from Chainalysis, the crypto industry will see a significant increase in global crypto theft in 2025, with losses exceeding $3.4 billion from January to early December.
This surge was primarily driven by North Korea-linked hackers, who were responsible for the majority of funds stolen that year.
Inside North Korea’s record $2 billion cryptocurrency theft
Blockchain analysis firm Chainalysis has pointed out in its latest report that the frequency of attacks against the Democratic People’s Republic of Korea (DPRK) has decreased significantly. Still, it was a record-breaking year for cryptocurrency theft.
Sponsored Sponsored
North Korean hackers stole at least $2.02 billion in digital assets in 2025. This marked a 51% increase over the previous year. Compared to 2020 levels, this amount represents a jump of approximately 570%.
“This year’s record harvest is due to a significant reduction in known incidents. This change, the much larger benefit of fewer incidents, reflects the impact of the massive Bybit hack in March 2025,” Chainalysis noted.
Additionally, the report revealed that threat actors linked to North Korea were responsible for a record 76% of all service breaches that year.
In total, the 2025 numbers push the lower cumulative estimate of crypto funds stolen by North Korea to $6.75 billion.
“This evolution is a continuation of a long-term trend. North Korean hackers have long demonstrated a high degree of sophistication, but their operations in 2025 highlight that they continue to evolve both their tactics and preferred targets,” Andrew Fierman, Director of National Security Intelligence at Chainalysis, told BeInCrypto.
Based on historical data, Chainalysis determined that North Korea continues to carry out far more high-value attacks than other threat actors.
“This pattern confirms that North Korean hackers target large-scale services for maximum impact when attacking,” the report said.
According to Chainalysis, North Korea-linked hackers are increasingly achieving greater success by placing operatives in technical roles within cryptocurrency companies. This approach is one of the primary attack vectors, allowing threat actors to gain privileged access and perform more harmful intrusions.
In July, blockchain researcher ZachXBT published an exposé claiming that North Korea-related operatives infiltrated 345 to 920 jobs across the cryptocurrency industry.
Sponsored Sponsored
“Part of this record year may reflect a growing reliance on IT worker penetration of exchanges, custodians, and Web3 companies, which may accelerate initial access and lateral movement prior to large-scale thefts,” the report states.
Threat actors are also employing recruitment-style tactics, posing as employers and targeting individuals already working in the field.
Additionally, BeInCrypto recently reported that hackers are impersonating trusted industry participants in fake Zoom and Microsoft Teams meetings. Using this tactic, they stole over $300 million.
“North Korea constantly seeks to identify new attack vectors and areas of vulnerability in order to exploit funds. This, combined with the regime’s lack of access to the global economy, ultimately creates the threat of a motivated and sophisticated nation-state seeking to obtain as much money as possible for the regime. As a result, the compromise of private keys of centralized services drove a significant portion of this year’s volume of exploitation,” Fiermann elaborated.
Chainalysis maps 45-day laundering scheme used by North Korean hackers
Chainalysis found that North Korea’s money laundering behavior differs significantly from that of other groups. The report showed that North Korea-linked actors tend to launder money in small on-chain tranches, with over 60% of transactions concentrated in remittances of less than $500,000.
In contrast, non-North Korean threat actors typically transfer 60% of stolen funds in larger batches ranging from $1 million to more than $10 million. Chainalysis said this structure reflects a more deliberate and sophisticated laundering approach, even though North Korea steals more money overall.
Sponsored Sponsored
The company also identified clear differences in service usage. North Korea-linked hackers have shown a strong reliance on Chinese-language fund transfer and guarantee services, as well as bridging and mixing tools designed to hide the traces of transactions. They also utilize specialized platforms such as Huione to facilitate their laundering operations.
In contrast, attackers who have stolen other funds interact more frequently with decentralized exchanges, centralized platforms, peer-to-peer services, and lending protocols.
“These patterns suggest that North Korea operates under different constraints and objectives than non-state-sponsored cybercriminals. Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests that North Korean threat actors are closely aligned with illicit actors across the Asia-Pacific region, consistent with North Korea’s historical use of China-based networks to access the international financial system,” the company said.
Chainalysis also observed a repetitive laundering pattern that typically unfolded over a 45-day period. In the days immediately following a hack (days 0-5), North Korea-linked actors prioritize keeping stolen funds away from the source. The report notes that the use of DeFi protocols and the mix of services increased sharply during this initial period.
In the second week (days 6-10), activities shift to services that allow for broader integration. Flows will begin to reach centralized exchanges and platforms with limited KYC requirements.
Cleaning activities continue through a reduced intensity secondary mixing service. On the other hand, cross-chain bridges are used to make movements less noticeable.
“This stage represents an important transition period as capital begins to move toward potential off-ramps,” the company said.
The final stage (20-45 days) involves increased interaction with services that facilitate conversion and cash-out. KYC-free exchanges, guaranteed services, instant swap platforms, and Chinese-language services feature prominently, as well as new uses of centralized exchanges to blend illicit funds with legitimate activities.
Sponsored Sponsored
Chainalysis emphasized that repeated 45-day laundering windows provide important insight to law enforcement. It also reflects the operational constraints of hackers and their dependence on specific intermediaries.
“North Korea has implemented a swift and effective money laundering strategy, so this requires an industry-wide response quickly. Law enforcement and the private sector, from exchanges to blockchain analysis companies, need to work together effectively to disrupt any funds as soon as the opportunity arises, whether the funds pass through a stablecoin or reach an exchange where the funds can be frozen immediately,” commented Fiermann.
Although not all stolen funds follow this timeline, this pattern represents typical on-chain behavior. Still, the team acknowledged potential blind spots, as certain activities such as private key transfers and off-chain OTC transactions may not be visible through blockchain data alone without supporting intelligence.
Outlook for 2026
Chainalysis’ director of national security intelligence revealed to BeInCrypto that North Korea is likely to investigate any exploitable vulnerabilities. This year’s Bybit, BTCTurk, and Upbit incidents suggest that centralized exchanges are facing increasing pressure, but tactics could change at any time.
Recent exploits involving Balancer and Yearn show that long-established protocols may be under threat actors. he said:
“While we cannot say what will happen in 2026, we do know that North Korea will seek to maximize its return on its targets. That means services with large reserves will need to maintain high security standards to avoid becoming the next exploit.”
The report also emphasized that as North Korea increasingly relies on crypto theft to raise state-backed funds and evade international sanctions, the industry must recognize that this threat actor operates under a fundamentally different set of constraints and incentives than regular cybercriminals.
“The country’s record-breaking performance in 2025, achieved with a 74% reduction in known attacks, suggests we may only be looking at the most visible parts of its activity,” Chainalysis added.
The company outlined that a key challenge for 2026 will be to identify and disrupt these high-impact operations before North Korea-linked actors carry out another incident on the scale of the Bybit hack.
