North Korea-Linked Hackers Account for 59% of 2025 Crypto Thefts, Exceeding $2 Billion: Report

• Record-Breaking Theft: DPRK actors accounted for $2.02 billion stolen, up 51% from last year.

• Overall crypto losses reached $3.4 billion in 2025, with North Korea dominating 59% of incidents.

• Evolving Tactics: Attacks dropped by 74%, but individual hauls like the $1.5 billion Bybit hack show increased sophistication, per Chainalysis data.

North Korean cryptocurrency theft surges to $2.02B in 2025, claiming 59% of all hacks. Discover evolving DPRK tactics and industry defenses in this Chainalysis-backed analysis. Stay secure—learn how to spot threats today.

What is the Extent of North Korean Cryptocurrency Theft in 2025?

North Korean cryptocurrency theft has reached unprecedented levels in 2025, with hackers from the Democratic People’s Republic of Korea (DPRK) stealing $2.02 billion in digital assets so far this year. According to a report from blockchain analytics firm Chainalysis, this figure accounts for 59% of the total $3.4 billion in cryptocurrency thefts recorded globally in 2025, marking a 51% increase from the previous year’s totals. The surge highlights the DPRK’s growing reliance on crypto heists to fund state activities amid international sanctions.

How Do North Korean Hackers Evolve Their Attack Strategies?

North Korean hackers have shifted toward fewer but far more impactful operations, as detailed in the Chainalysis report. For instance, the February 2025 attack on Bybit exchange resulted in $1.5 billion stolen, an incident the U.S. Federal Bureau of Investigation (FBI) attributed to DPRK-linked groups. This evolution reduces the number of attacks by 74% compared to prior years while maximizing damage per incident.

Experts note that DPRK actors prioritize high-value targets like centralized exchanges and DeFi protocols. “The cryptocurrency industry must enhance vigilance around these high-value assets,” states the Chainalysis analysis, emphasizing improved detection of DPRK-specific laundering patterns. These patterns include preferences for certain service types and transfer amounts, which help distinguish DPRK activities from other cybercriminals.

Supporting data from Chainalysis reveals a consistent three-wave, 45-day laundering process: initial transfers via Chinese-language services, cross-chain bridging to obscure trails, and heavy use of crypto mixers. This methodology has remained stable over recent years, providing investigators with identifiable on-chain footprints. By focusing on these markers, security teams can better trace and mitigate threats before they escalate.

Frequently Asked Questions

What Percentage of 2025 Crypto Thefts Are Attributed to North Korea?

According to Chainalysis, North Korean hackers are responsible for 59% of all cryptocurrency thefts in 2025, totaling $2.02 billion out of $3.4 billion stolen globally. This dominance underscores the DPRK’s sophisticated cyber operations targeting the crypto sector to bypass sanctions.

How Can Crypto Exchanges Detect North Korean Hacker Infiltration Attempts?

Crypto exchanges like Binance report daily attempts by North Korean actors to gain employment and insider access, often using AI-generated videos and voice changers during interviews. Detection relies on identifying common red flags, such as unusual behavioral patterns, and sharing intelligence via secure channels like Telegram and Signal. Additionally, rigorous code reviews for poisoned NPM packages help prevent supply chain attacks.

Key Takeaways

• Surge in Efficiency: DPRK thefts rose 51% to $2.02 billion in 2025 with 74% fewer attacks, signaling a strategic pivot to high-impact operations.
• Laundering Patterns: A distinct 45-day process involving Chinese services, cross-chain bridges, and mixers offers key detection opportunities for blockchain analysts.
• Industry Response: Exchanges must bolster insider threat detection and code auditing to counter evolving DPRK tactics and prevent future mega-heists.

Conclusion

In 2025, North Korean cryptocurrency theft has redefined cyber risks in the digital asset space, with DPRK hackers securing $2.02 billion—59% of total losses—and demonstrating refined strategies like the Bybit breach. As Chainalysis warns, recognizing these actors’ unique operational rules is crucial for the industry’s defense against state-sponsored threats. Looking ahead, enhanced collaboration and advanced monitoring will be essential to safeguard assets and deter further escalation in 2026.