North Korea stole a record $2 billion in crypto in 2025 — even as hacks declined

ambcryptoPublished on 2025-12-18Last updated on 2025-12-18

Abstract

North Korea set a record in 2025 by stealing $2.02 billion in cryptocurrency despite carrying out fewer attacks than in previous years, according to Chainalysis. The DPRK shifted its strategy from high-frequency exploits to targeted, high-value infiltrations, focusing on compromising people and internal systems—such as executives and contractors—rather than just code. A major driver was the $1.5 billion Bybit breach. The report also details North Korea's efficient 45-day laundering cycle using mixers, bridges, and off-ramping via Chinese OTC brokers. While DeFi protocols saw improved security breaches, retail wallet hacks rose to 158,000 incidents. North Korea remains the most significant state-level threat in crypto, with total lifetime thefts reaching $6.75 billion. The industry must now prioritize human and organizational security, not just technical defenses.

North Korea set a new record for crypto theft in 2025, stealing $2.02 billion despite carrying out far fewer attacks than in previous years, according to new data from Chainalysis.

The report indicates that the DPRK’s cyber strategy has shifted from high-frequency exploits to precision, high-value infiltrations—a change that signals an evolving threat to the global crypto ecosystem.

Fewer attacks, but bigger and more strategic heists

Chainalysis found that North Korea-linked groups now focus on deep, targeted intrusions rather than the broad exploit patterns seen in earlier cycles.

DPRK hackers stole more money in 2025 than in any year on record, while the total number of incidents actually fell.

A major driver was the $1.5 billion Bybit breach, but the trend extends beyond any single event.

The report highlights a shift toward infiltrating people and internal systems, not just codebases — including impersonating executives, compromising contractors, and gaining upstream access to drain funds.

This shift marks a new phase of state-level crypto exploitation: fewer hacks, larger payoffs, and far more strategic targeting.

DPRK relies on fast-moving laundering networks

The report also outlines how North Korea has refined its laundering operations.

Chainalysis identified a repeatable 45-day cycle used to clean stolen funds, involving:

  • rapid obfuscation through mixers,
  • chain-hops through bridges, and
  • eventual off-ramping via Chinese-language OTC brokers and instant exchangers.

Use of these off-ramp channels by DPRK-linked groups has surged between 97% and 1,000%, depending on the network.

Retail users face a different threat: mass wallet drains

While institutional targets faced the largest losses, retail users experienced a rising wave of account takeover attacks.

Chainalysis recorded 158,000 personal wallet hacks in 2025 — three times higher than in 2022.

Total value stolen from wallets dropped to $713 million, but Solana users took the largest hit, reflecting persistent exposure at the individual level even as DeFi platforms improve their security posture.

DeFi is more secure — but institutions are now the weak point

The report notes that despite the rise in total value locked across DeFi, successful protocol-level exploits remained surprisingly low.

Instead, attackers targeted the organizational layers surrounding these platforms:

  • IT contractors
  • executives
  • customer support personnel
  • internal system administrators
  • The attacks became about people, not smart contracts.

This evolution suggests traditional security models — which focus on code audits and protocol hardening — no longer address the most exploited vulnerabilities.

A new phase of global crypto security risk

Chainalysis warns that DPRK’s cyber operations have reached a level of sophistication that demands a new security approach.

With lifetime crypto thefts now at $6.75 billion, North Korea remains the single most dangerous state actor in the industry.


Final Thoughts

  • North Korea’s shift to high-impact, institution-level infiltrations marks a new era of crypto security risk.
  • The industry must harden its human and organizational defences, not just its smart contracts.

Trending Cryptos

Related Questions

QHow much did North Korea steal in cryptocurrency in 2025 according to Chainalysis?

ANorth Korea stole a record $2.02 billion in cryptocurrency in 2025.

QWhat major shift in cyber strategy did the report identify for DPRK-linked hacking groups?

AThe report identified a shift from high-frequency exploits to precision, high-value infiltrations, focusing on targeted intrusions rather than broad exploit patterns.

QWhat was a key component of North Korea's 45-day laundering cycle for stolen funds?

AKey components included rapid obfuscation through mixers, chain-hops through bridges, and off-ramping via Chinese-language OTC brokers and instant exchangers.

QHow did the number of personal wallet hacks in 2025 compare to 2022?

AChainalysis recorded 158,000 personal wallet hacks in 2025, which was three times higher than the number in 2022.

QWhat does the report suggest is now the weak point in crypto security, as opposed to protocol-level exploits?

AThe report suggests that organizational layers, such as IT contractors, executives, and internal system administrators, are now the weak point, as attackers are targeting people rather than smart contracts.

Related Reads

Trading

Spot

Hot Articles

How to Buy CAP

Welcome to HTX.com! We've made purchasing Cap (CAP) simple and convenient. Follow our step-by-step guide to embark on your crypto journey.Step 1: Create Your HTX AccountUse your email or phone number to sign up for a free account on HTX. Experience a hassle-free registration journey and unlock all features.Get My AccountStep 2: Go to Buy Crypto and Choose Your Payment MethodCredit/Debit Card: Use your Visa or Mastercard to buy Cap (CAP) instantly.Balance: Use funds from your HTX account balance to trade seamlessly.Third Parties: We've added popular payment methods such as Google Pay and Apple Pay to enhance convenience.P2P: Trade directly with other users on HTX.Over-the-Counter (OTC): We offer tailor-made services and competitive exchange rates for traders.Step 3: Store Your Cap (CAP)After purchasing your Cap (CAP), store it in your HTX account. Alternatively, you can send it elsewhere via blockchain transfer or use it to trade other cryptocurrencies.Step 4: Trade Cap (CAP)Easily trade Cap (CAP) on HTX's spot market. Simply access your account, select your trading pair, execute your trades, and monitor in real-time. We offer a user-friendly experience for both beginners and seasoned traders.

301 Total ViewsPublished 2026.06.26Updated 2026.06.26

How to Buy CAP

What Is TradFi

TradFi (Traditional Finance) refers to a centralized financial system dominated by banks, securities exchanges, asset management firms, and regulatory institutions.

26.2k Total ViewsPublished 2026.07.01Updated 2026.07.01

What Is TradFi

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of A (A) are presented below.

活动图片