North Korean cyber operators drained about $2.02 billion in digital assets in 2025, a rise of roughly 51% from the previous year, making it the most lucrative period yet for the Korean groups, according to a new report by research platform Chainalysis.
Chainalysis estimates that more than $3.4 billion in cryptocurrency was stolen worldwide between January and early December 2025, with a single compromise at trading platform Bybit in February accounting for around $1.5 billion of that total.
The report also indicates that the three largest hacks together made up roughly 69% of all service losses, while the biggest individual incident was about one thousand times larger than the median theft, highlighting the extreme concentration of risk in a handful of catastrophic breaches.
According to the report, North Korean groups were responsible for about 75% of confirmed attacks on crypto services in 2025, even though the number of their operations dropped significantly from previous years, indicating they are focusing on fewer, more valuable targets.
At the same time, they are increasingly posing as recruiters for well-known technology, artificial intelligence, and Web3 firms and staging elaborate but bogus hiring processes and investor approaches that are designed to harvest login credentials, source code, virtual private network access, and other paths into high-value infrastructure, including the accounts of senior executives.
The report showed that, once funds are stolen, DPRK-linked actors typically move them through a distinct laundering cycle over roughly forty-five days, beginning with an intense burst in the first few days in which the assets are routed through decentralized finance protocols and mixing services to break the most obvious links to the original theft.
The process then shifts in the following week toward exchanges with weaker checks, major trading venues, secondary mixers, and cross-chain bridges that scatter value across blockchains, before settling into a longer phase in which money moves through no-KYC exchanges, Chinese-language guarantee services, instant swap platforms, and over-the-counter brokers that can convert it into cash or other assets, often in less regulated markets.
Unlike many cybercriminals focused on making money through lending platforms and popular exchanges, North Korean networks prefer using Chinese-language money laundering services, cross-chain bridges, mixing tools, and a few specialized platforms. Analysts believe this shows their reliance on established helpers in the Asia Pacific region and their strategies to bypass international financial sanctions.
Alongside the large service breaches, the industry is confronting a surge in personal wallet compromises, with Chainalysis counting about 158,000 such incidents in 2025 that affected at least 80,000 individual users compared with roughly 54,000 cases and 40,000 known victims in 2022, even as the share of total stolen value attributed to personal wallets fell from around 44 percent in 2024 to about 20 percent in 2025 and the amount taken from individuals dropped from roughly $1.5 billion to $713 million, indicating that attackers are striking more users but taking smaller sums from each one.
The report shows that risk is uneven across networks, with Ethereum and Tron recording the highest theft rates when measured per one hundred thousand active personal wallets. Solana, despite having one of the largest user bases and around 26,500 identified victims, and Base, which also has a sizable user base, both experience fewer thefts relative to their active wallet counts, suggesting that user behavior, popular applications, and the surrounding criminal infrastructure may be as important as the underlying code in determining who is most exposed.
While total value locked in decentralized finance has recovered, Chainalysis concludes that reported losses remain comparatively subdued and points to the swift handling of a September 2025 incident at Venus Protocol as evidence of stronger defenses, yet it also stresses that North Korean groups capable of thefts on the scale of the Bybit hack continue to represent a major threat to the broader crypto market.
Read Also: Hong Kong Unveils 10-Year Plan to Digitize and Tokenize Capital Markets
