North Korean hackers stole a record $2.02 billion in cryptocurrency in 2025, according to a new Chainalysis report, surpassing the previous year's haul by 51 percent and bringing their total to $6.75 billion. The thefts, which accounted for 60 percent of the global total of $3.4 billion stolen, were driven by fewer but larger attacks, including a $1.5 billion breach of the Dubai-based Bybit exchange in February. Experts attribute the success to sophisticated tactics like embedding IT workers in crypto firms and impersonating recruiters.
The Chainalysis report, released on December 18, 2025, highlights a shift in cryptocurrency theft patterns, with North Korea's Democratic People's Republic of Korea (DPRK) remaining the dominant threat actor. Despite 74 percent fewer confirmed incidents compared to 2024, DPRK hackers achieved outsized results by targeting centralized services with high reserves. The February hack of Bybit, linked to North Korea's elite Lazarus Group by U.S. authorities, alone accounted for $1.5 billion in ethereum and other assets, marking the largest crypto heist on record.
Blockchain analysts note that DPRK operatives increasingly infiltrate crypto companies by fraudulently securing remote IT jobs or posing as recruiters on platforms like Upwork. 'North Korean threat actors are increasingly achieving these outsized results often by embedding IT workers inside crypto services to gain privileged access,' the report states. At the executive level, they simulate investment pitches to extract credentials and system access. Security researcher Pablo Sabbatella estimated that 30 to 40 percent of job applications to crypto firms come from North Korean operatives.
Laundering patterns reveal DPRK preferences for Chinese-language services, cross-chain bridges, and mixing protocols, with funds moved in small tranches under $500,000 over a typical 45-day cycle. This differs from other cybercriminals, who favor larger transfers and DeFi lending. The United Nations has long accused North Korea of using these funds to evade sanctions and finance its nuclear and missile programs.
Globally, personal wallet compromises surged to 158,000 incidents affecting 80,000 victims, though total value stolen fell to $713 million. DeFi hacks remained low despite rising total value locked, suggesting improved security measures, as seen in the Venus Protocol's rapid response to a September attack that recovered all funds.
Experts warn of ongoing risks. 'North Korea’s crypto theft activity is a sanctions, national security, and financial crime issue,' said Chris Wong, a former FBI agent at TRM Labs. Chainalysis head of national security intelligence Andrew Fierman emphasized the need for better detection of DPRK's distinct on-chain behaviors.
