.png){kind=logo}
North Korean government-linked hackers stole more than $2 billion in digital currencies during 2025, even as the total number of recorded crypto attacks dropped sharply from the previous year.
Investigators said attack activity declined by 74%, yet financial damage increased because threat actors shifted toward fewer operations targeting significantly larger amounts of capital. Ethereum and Solana absorbed most of the losses, reflecting the attackers’ focus on liquid networks and centralized crypto platforms.
The largest incident occurred in February, when hackers siphoned $1.5 billion from the Bybit exchange in a single breach, accounting for most of the stolen funds recorded during the year.
That event became the largest crypto theft on record and reshaped annual loss figures almost entirely on its own. Subsequent incidents, including a reported breach involving Upbit, reinforced ongoing risks facing crypto service providers.
Although exchanges continued to strengthen security controls, attackers adjusted their methods, prioritizing operational access over exploiting software vulnerabilities. As a result, a smaller number of breaches produced outsized financial losses across the digital asset sector.
Chainalysis reported that North Korea has now stolen approximately $6.75 billion in cryptocurrency since 2016, marking a steady evolution in its operational approach.
Earlier campaigns relied on numerous small attacks, while recent activity reflects a deliberate move toward rare but high-impact service-level breaches.
This shift explains why overall losses climbed even as attack frequency declined.
Investigators found that North Korean operatives are increasingly gaining access by embedding themselves within crypto companies as IT staff. These roles provide visibility into internal systems, security processes, and private key management that external attackers rarely obtain.
Such access allows attacks to occur with precision and limited early detection.
Hackers also pose as recruiters from established crypto firms to target industry professionals. Victims receive interview requests containing malware disguised as technical screening software. Once installed, the programs collect credentials and enable deeper network access.
CoinDesk reported that North Korea is now using artificial intelligence to streamline money-laundering operations following major crypto thefts. Andrew Fierman of Chainalysis said the speed and consistency of these movements indicate automated coordination across multiple blockchain systems. This structure allows stolen funds to move rapidly across assets and platforms.
Chainalysis found that stolen crypto typically passes through mixers, DeFi protocols, and cross-chain bridges early in the laundering process. Funds then move through a series of stages until they are finally integrated. Most large thefts follow a recurring 45-day laundering window observed across multiple years.
Meanwhile, theft patterns affecting individual users also shifted during 2025. Personal wallet compromises represented 20% of the total value stolen, down from 44% the year before. Although incidents rose to 158,000, losses from individuals fell 52% to $713 million.
Investigators linked the change to tighter exchange security and growing legal scrutiny.
A recent court ruling classified XRP as property in cases involving stolen crypto assets.
North Korean laundering methods, including the use of Chinese services and cross-chain bridges, continue to assist tracing efforts.
Also Read: South Korea May Tighten Sanctions After US Links North Korea to Crypto Crimes
North Korea crypto hacks drove more than $2 billion in losses during 2025 as attackers shifted toward fewer but far larger exchange breaches. AI-driven laundering and insider access reshaped attack methods. The pattern shows rising risks from rare high-impact incidents, reinforcing the need for stronger detection and faster intervention.
