How North Korea Pulled Off $2 Billion In Crypto Theft In 2025

What Happened

The surge was largely driven by North Korea-linked hackers, who were responsible for the majority of stolen funds during the year.

North Korean hackers stole at least $2.02 billion in digital assets in 2025. This marked a 51% year-over-year increase. Compared with 2020 levels, the amount represents a surge of approximately 570%.

“This year’s record haul came from significantly fewer known incidents. This shift — fewer incidents yielding far greater returns — reflects the impact of the massive Bybit hack in March 2025,” Chainalysis noted.

“This evolution is a continuation of a long-term trend. North Korea’s hackers have long demonstrated a high degree of sophistication, and their operations in 2025 highlights that they are continuing to evolve both their tactics and their preferred targets,” Andrew Fierman, Chainalysis Head of National Security Intelligence, told BeInCrypto.

“This pattern reinforces that when North Korean hackers strike, they target large services and aim for maximum impact,” the report reads.

According to Chainalysis, North Korea-linked hackers are increasingly generating outsized results by placing operatives in technical roles within crypto-related companies. This approach, one of the principal attack vectors, enables threat actors to gain privileged access and execute more damaging intrusions.

In July, blockchain investigator ZachXBT published an exposé claiming that North Korea-linked operatives infiltrated between 345 and 920 jobs across the crypto industry.

Furthermore, BeInCrypto recently reported that hackers were impersonating trusted industry contacts in fake Zoom and Microsoft Teams meetings. Using this tactic, they stole more than $300 million.

“DPRK will always seek to identify new attack vectors, and areas where vulnerabilities exist to exploit funds. Combine that with the regimes’ lack of access to the global economy, and you end up with a motivated, sophisticated nation state threat that seeks to gain as much capital for the regime as possible. As a result, private key compromises of centralized services have driven significant proportions of exploit volume this year,” Fierman detailed.

Chainalysis Maps a 45-Day Laundering Playbook Used by North Korean Hackers

The firm also identified clear differences in service usage. DPRK-linked hackers show a strong reliance on Chinese-language money movement and guarantee services, as well as bridge and mixing tools designed to obscure transaction trails. They also utilize specialized platforms, such as Huione, to facilitate their laundering operations.

Chainalysis also observed a recurring laundering pattern that typically unfolds over 45 days. In the days immediately after a hack (Days 0-5), North Korea-linked actors prioritize distancing the stolen funds from the source. The report noted a sharp increase in the use of DeFi protocols and mixing services during this initial period.

Market Context

Chainalysis found that North Korea’s laundering behavior differs sharply from that of other groups. The report showed that DPRK-linked actors tend to launder money in smaller on-chain tranches, with just over 60% of volume concentrated below a $500,000 transfer value.

Why It Matters

“Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and web3 firms, which can accelerate initial access and lateral movement ahead of large‑scale theft,” the report stated.

“These patterns suggest that the DPRK operates under different constraints and objectives than those of non-state-backed cybercriminals. Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests that DPRK threat actors are tightly integrated with illicit actors across the Asia-Pacific region, and is consistent with Pyongyang’s historical use of China-based networks to gain access to the international financial system,” the firm mentioned.

Details

The crypto industry experienced a major escalation in global cryptocurrency theft in 2025, with losses exceeding $3.4 billion between January and early December, according to a new report from Chainalysis.

Inside North Korea’s Record $2 Billion Crypto Theft

In its latest report, blockchain analytics firm Chainalysis pointed out that there was a significant decline in the Democratic People’s Republic of Korea’s (DPRK) attack frequency. Still, they achieved a record-breaking year in terms of cryptocurrency theft.

Furthermore, the report revealed that DPRK-linked actors were responsible for a record 76% of all service compromises during the year.

Taken together, the 2025 figures push the lower-bound cumulative estimate of cryptocurrency funds stolen by North Korea to $6.75 billion.

Drawing on historical data, Chainalysis determined that the DPRK continues to carry out significantly higher-value attacks than other threat actors.

Threat actors have also adopted recruitment-style tactics, posing as employers to target individuals already working in the sector.

By contrast, non-DPRK threat actors typically transfer 60% of stolen funds in much larger batches, often ranging from $1 million to more than $10 million. Chainalysis said this structure reflects a more deliberate and sophisticated approach to laundering, despite North Korea stealing larger overall amounts.

In contrast, other stolen-fund actors more frequently interact with decentralized exchanges, centralized platforms, peer-to-peer services, and lending protocols.