TL;DR
- DPRK dominance: North Korean hackers stole $2.02 billion in 2025, representing 76% of all service compromises. Their cumulative haul now exceeds $6.75 billion.
- Evolving tactics: Sophisticated infiltration of IT staff and impersonation of executives or recruiters enabled massive breaches with fewer incidents.
- Evolving tactics: Sophisticated infiltration of IT staff and impersonation of executives or recruiters enabled massive breaches with fewer incidents.
The cryptocurrency industry faced a turbulent 2025, with $3.4 billion stolen across the sector. At the center of this alarming figure stood North Korea, whose hackers executed fewer attacks but achieved record-breaking gains. According to Chainalysis, DPRK-linked groups stole $2.02 billion, marking a 51% increase from 2024 and cementing their dominance in global crypto crime.
Record-Breaking Year for DPRK Hackers
Chainalysis data shows that North Korean hackers accounted for 76% of all service compromises in 2025, despite a sharp reduction in attack frequency. Their cumulative haul now totals $6.75 billion. The February Bybit breach alone contributed $1.5 billion, underscoring how single incidents can reshape yearly totals. This concentration of losses highlights the outsized impact of DPRK operations compared to other actors.
Sophisticated Infiltration and Impersonation
The report reveals that DPRK hackers increasingly rely on IT worker infiltration and executive impersonation tactics. By embedding operatives inside exchanges and custodians, they gain privileged access to critical systems. More recently, they have impersonated recruiters and investors, tricking victims into divulging credentials and sensitive infrastructure details. These evolving strategies demonstrate a calculated shift toward high-value targets in blockchain and AI firms.
Distinctive Laundering Patterns
Chainalysis identified unique laundering behaviors among DPRK-linked actors. Unlike typical cybercriminals, they favor Chinese-language money laundering services, bridge protocols, and mixing platforms, structuring transactions in smaller tranches under $500,000. Their laundering unfolds in a 45-day cycle, beginning with rapid obfuscation through DeFi and mixers, followed by integration into exchanges and eventual conversion via OTC networks. This structured approach reflects both sophistication and reliance on Asia-Pacific illicit networks.
Rising Threats Beyond DPRK
While North Korea dominated headlines, personal wallet compromises surged to 158,000 incidents, affecting 80,000 victims. Yet the total stolen from individuals fell to $713 million, down from $1.5 billion in 2024, suggesting attackers are targeting more users but extracting smaller amounts per victim. Meanwhile, DeFi protocols showed resilience, with improved monitoring and governance reducing losses despite rising Total Value Locked. This divergence signals a shift in attacker focus toward centralized services and personal wallets.
