North Korea stole a record $2 billion in crypto in 2025 — even as hacks declined

North Korea set a new record for crypto theft in 2025, stealing $2.02 billion despite carrying out far fewer attacks than in previous years, according to new data from Chainalysis. 

The report indicates that the DPRK’s cyber strategy has shifted from high-frequency exploits to precision, high-value infiltrations—a change that signals an evolving threat to the global crypto ecosystem.

Fewer attacks, but bigger and more strategic heists

Chainalysis found that North Korea-linked groups now focus on deep, targeted intrusions rather than the broad exploit patterns seen in earlier cycles. 

DPRK hackers stole more money in 2025 than in any year on record, while the total number of incidents actually fell.

Source: Chainalysis

A major driver was the $1.5 billion Bybit breach, but the trend extends beyond any single event.

The report highlights a shift toward infiltrating people and internal systems, not just codebases — including impersonating executives, compromising contractors, and gaining upstream access to drain funds.

This shift marks a new phase of state-level crypto exploitation: fewer hacks, larger payoffs, and far more strategic targeting.

DPRK relies on fast-moving laundering networks

The report also outlines how North Korea has refined its laundering operations.

Chainalysis identified a repeatable 45-day cycle used to clean stolen funds, involving:

• rapid obfuscation through mixers,
• chain-hops through bridges, and
• eventual off-ramping via Chinese-language OTC brokers and instant exchangers. 

Use of these off-ramp channels by DPRK-linked groups has surged between 97% and 1,000%, depending on the network.

Retail users face a different threat: mass wallet drains

While institutional targets faced the largest losses, retail users experienced a rising wave of account takeover attacks.

Chainalysis recorded 158,000 personal wallet hacks in 2025 — three times higher than in 2022.

Total value stolen from wallets dropped to $713 million, but Solana users took the largest hit, reflecting persistent exposure at the individual level even as DeFi platforms improve their security posture. 

DeFi is more secure — but institutions are now the weak point

The report notes that despite the rise in total value locked across DeFi, successful protocol-level exploits remained surprisingly low.

Instead, attackers targeted the organizational layers surrounding these platforms:

• IT contractors
• executives
• customer support personnel
• internal system administrators
• The attacks became about people, not smart contracts.

This evolution suggests traditional security models — which focus on code audits and protocol hardening — no longer address the most exploited vulnerabilities.

A new phase of global crypto security risk

Chainalysis warns that DPRK’s cyber operations have reached a level of sophistication that demands a new security approach.

With lifetime crypto thefts now at $6.75 billion, North Korea remains the single most dangerous state actor in the industry.

Final Thoughts

• North Korea’s shift to high-impact, institution-level infiltrations marks a new era of crypto security risk.
• The industry must harden its human and organizational defences, not just its smart contracts.