TL;DR
- DPRK-linked hackers stole $2.02 billion in crypto in 2025, $6.75 billion cumulative.
- They account for 76% of value stolen from service compromises.
- Post-theft laundering follows a 45-day cycle using bridges and mixers, not DeFi lending.
Chainalysis reports that hackers linked to the government of the Democratic People’s Republic of Korea (DPRK) stole at least $2.02 billion in cryptocurrency during 2025. Chainalysis also places cumulative losses tied to DPRK-linked activity at $6.75 billion.
The report describes a concentrated pattern of attacks. DPRK-linked groups account for 76% of service compromises tracked by Chainalysis, even with fewer confirmed incidents overall. Groups execute fewer, larger thefts and then run laundering cycles that last roughly 45 days after major breaches.
Chainalysis highlights a clear split in behavior inside DeFi. DPRK-linked actors use DeFi lending protocols far less than other criminal groups. Chainalysis measures an 80% gap versus non-DPRK actors, which points to a preference for alternate laundering routes rather than routine use of lending venues to swap and obscure stolen funds.
Eric Jardine, head of research at Chainalysis, frames the pattern as a relative preference. Jardine says other actors who steal funds use lending protocols more often, while DPRK-linked attackers favor other services for layering, including mixers and bridges. Jardine adds that lending use by DPRK-linked groups does not drop to zero, yet the data shows a consistent tilt toward other tools.
Bridges, mixers, and Chinese-language laundering services drive the 45-day cycle
Chainalysis links DPRK-linked laundering to bridges, mixers, and Chinese-language money laundering services, with a recurring 45-day cycle following large thefts. The report describes a workflow that moves funds across chains, breaks traceability through mixing, and routes proceeds through services that specialize in laundering. The sequence reads like a metronome: theft, dispersion, cross-chain transfers, mixing, and cash-out steps that complicate attribution.
At the same time, market growth in DeFi does not translate into a comparable jump in reported hack losses during 2025, according to Chainalysis. DefiLlama data shows total value locked (TVL) rising from about $50 billion in 2024 to nearly $175 billion by October 2025, near levels last seen during 2021.
Chainalysis notes that hack losses stay low even as TVL rises
The firm ties the combination to stronger security practices across DeFi protocols versus the 2020–2021 period. Developers harden code, teams expand audits, and operators tighten monitoring, according to the report’s explanation.
The findings shift attention toward the post-theft phase. DPRK-linked groups show discipline in laundering execution, not only in intrusion methods. The report places emphasis on tool choice—bridges and mixers over lending protocols—and on timing, with repeatable 45-day laundering windows after large attacks. In a market that increasingly tracks measurable performance, the laundering route becomes the fingerprint.
