TL;DR
In 2025, North Korean cybercriminals made off with $2.02 billion in cryptocurrency, marking a 51% increase from the previous year and bringing their total haul to $6.75 billion. This surge occurred despite a reduction in the number of attacks, with the Democratic People’s Republic of Korea (DPRK) achieving larger thefts through sophisticated strategies such as embedding IT personnel within crypto firms and employing advanced impersonation tactics aimed at executives. Furthermore, the DPRK favors Chinese-language services for money laundering, frequently utilizing mixing protocols and bridge services, and typically follows a 45-day laundering cycle after major thefts. Individual wallet breaches soared to 158,000 incidents involving 80,000 unique victims in 2025, although the overall monetary value stolen decreased to $713 million compared to 2024. Notably, while the Total Value Locked (TVL) in decentralized finance (DeFi) increased, losses from hacks remained low during 2024-2025, indicating that enhanced security measures are making a difference.
The Cryptocurrency Ecosystem’s Ongoing Challenges
The cryptocurrency sector faced significant challenges in 2025, with total thefts exceeding $3.4 billion from January to early December. One major incident, the February breach of Bybit, alone accounted for $1.5 billion of the total theft. The data suggests substantial shifts in theft dynamics, particularly with personal wallet breaches increasing significantly, from just 7.3% of total stolen funds in 2022 to 44% in 2024. Had it not been for the Bybit incident, personal wallet thefts would have represented 37% of total losses in 2025. Centralized services are also seeing larger losses tied to private key breaches. Despite having extensive resources and security measures, these platforms remain susceptible to such vulnerabilities. Although these breaches are infrequent, when they do occur, they account for a staggering 88% of losses in the first quarter of 2025. The persistence of high theft volumes suggests that while some areas of crypto security are improving, attackers continue to exploit various vulnerabilities successfully.
The Concentration of Losses in Major Hacks
The trend of crypto theft has historically been marked by outliers, with most hacks being relatively minor while a few are significantly larger. However, 2025 showcased a notable escalation in this regard, with the ratio of the largest hack to the median incident reaching a new high of 1,000 times. The scale of funds stolen in the most significant breaches now dwarfs those from typical incidents, surpassing even the peaks observed during the 2021 bull market. This growing disparity has resulted in the top three hacks of 2025 accounting for an astounding 69% of total service losses, indicating that specific incidents can dramatically influence annual totals. Although the number of hacks may fluctuate, the potential for catastrophic breaches continues to rise.
North Korea: The Dominant Cyber Threat
The Democratic People’s Republic of Korea (DPRK) has solidified its position as a leading nation-state threat to the security of cryptocurrencies, achieving unprecedented levels of theft even as the frequency of its attacks has reportedly decreased. In 2025, North Korean hackers stole at least $2.02 billion worth of cryptocurrency, an increase of $681 million from the previous year, marking a 51% year-over-year rise. This year also saw DPRK attacks account for a record 76% of all service compromises, raising the cumulative total for stolen cryptocurrency to $6.75 billion. North Korean operatives are increasingly embedding IT workers within crypto organizations to gain privileged access, which has become a primary method of attack. Additionally, they have adopted new tactics, such as impersonating recruiters from reputable firms to execute fraudulent hiring processes aimed at extracting sensitive information and access.
The DPRK’s Evolving Money Laundering Techniques
The significant influx of stolen cryptocurrency in early 2025 offers a rare glimpse into the laundering techniques employed by DPRK-connected actors. Their methods differ notably from those used by other cybercriminals and have evolved over time, highlighting their operational inclinations and potential vulnerabilities. The laundering strategies of DPRK hackers are characterized by distinctive bracketed patterns, with over 60% of their transactions occurring in amounts below $500,000. In contrast, other criminals typically execute transfers in larger tranches, indicating a more sophisticated approach to obscuring their activities. The DPRK shows a marked preference for certain laundering channels, including Chinese-language services and cross-chain bridges, while avoiding popular DeFi lending protocols and P2P exchanges.
A Structured Timeline for Laundering Stolen Funds
Our analysis reveals a consistent pattern in the laundering of stolen funds following DPRK-linked hacks. The laundering process typically occurs in three phases over approximately 45 days. The first phase involves immediate distancing of the funds from the source of theft, with significant spikes in activity on DeFi protocols and mixing services. The second phase focuses on integrating the funds within the broader ecosystem through exchanges and additional mixing services. The final phase emphasizes converting the laundered assets to fiat or other currencies, utilizing less regulated platforms and exchanges. This structured approach provides essential insights for law enforcement agencies and compliance teams tasked with tracking illicit activities.
Rising Threat of Personal Wallet Compromises
Analysis of on-chain activities and victim reports indicates a dramatic rise in personal wallet compromises, with estimates suggesting they now account for 20% of all stolen value in 2025, down from 44% in 2024. The total number of theft incidents has surged to 158,000, nearly tripling from the 54,000 reported in 2022, with unique victims increasing from 40,000 to at least 80,000. This increase is attributed to wider crypto adoption, particularly on platforms like Solana, which has seen significant incidents. Despite the higher number of breaches, the total monetary loss per individual victim has diminished, indicating that attackers are targeting a broader audience but taking smaller amounts from each.
DeFi Hacks: A Shift in Trends
The DeFi sector’s crime data in 2025 indicates a notable shift from previous patterns. Historically, the total value locked (TVL) in DeFi and hacking losses have moved in tandem; however, recent data reveals three distinct phases. Initially, both metrics increased, followed by a decline in the subsequent years. In the current phase, while DeFi TVL has rebounded, the losses from hacks have remained relatively low. This divergence suggests that DeFi protocols may be implementing more robust security measures and that attackers are shifting their focus towards personal wallet thefts and centralized service breaches.
Case Study: Venus Protocol’s Security Measures
The September 2025 incident involving Venus Protocol exemplifies the impact of enhanced security practices. Hackers exploited a compromised Zoom client to gain access to a significant account, but thanks to the recent implementation of Hexagate’s security platform, suspicious activity was detected early. This led to a rapid response that prevented the attackers from succeeding, demonstrating significant advancements in DeFi security infrastructure. The ability to detect threats and respond effectively marked a transformative shift in the DeFi landscape, contrasting sharply with earlier instances where successful breaches often resulted in irretrievable losses.
Looking Ahead to 2026
The data from 2025 paints a complex picture of the DPRK’s evolution as a crypto threat actor. Their ability to execute fewer but significantly more damaging attacks reflects a growing sophistication and strategic patience. The impact of the Bybit incident on their operational patterns indicates that major thefts may lead to reduced activity as they focus on laundering proceeds. For the cryptocurrency sector, this evolution necessitates heightened vigilance around high-value targets and specific detection strategies tailored to the DPRK’s laundering preferences. As North Korea continues to leverage cryptocurrency theft to support state objectives and evade international sanctions, it is crucial for the industry to recognize that this threat operates under different constraints than typical cybercriminals. The record thefts of 2025, achieved with markedly fewer attacks, suggest a need for proactive measures to detect and prevent future high-impact operations before they occur.
