North Korean hackers stole a record $2 billion of crypto in 2025, Chainalysis says

North Korean hackers stole at least $2 billion in cryptocurrency this year, the most on record, pushing the Democratic People’s Republic of Korea’s (DPRK) all-time haul to $6.75 billion, according to a new Chainalysis report.

The figure represents a 51% increase over 2024 from fewer confirmed incidents. The numbers underscore a shift toward fewer, dramatically larger attacks, underpinned by March’s $1.4 billion hack of Bybit.

In contrast to other cybercriminals, North Korean groups overwhelmingly target large, centralized crypto services, aiming for maximum impact rather than frequency, the report said. DPRK-linked actors were responsible for 76% of all service-level compromises in 2025, the most ever recorded.

How they launder the cash also stands out. While other hackers tend to distribute stolen funds in large onchain transfers, DPRK actors consistently work with smaller tranches below $500,000, a sign of increasingly sophisticated operational security.

DPRK-linked wallets show a heavy reliance on Chinese-language guarantee services, brokers and over-the-counter networks, as well as extensive use of bridges and mixing services. They largely avoid the DeFi lending protocols, decentralized exchanges and peer-to-peer platforms favored by other criminals. These patterns suggest structural constraints and a dependence on specific regional facilitators rather than broad access to global financial infrastructure.

Earlier this year, CoinDesk reported on how North Korea is now using AI as a “superpower” in its hacking efforts.

“North Korea facilitates the laundering of their crypto heists with consistency and fluidity indicative of the use of AI,” Andrew Fierman, head of national security intelligence at Chainalysis told CoinDesk.

“The mechanism by which the laundering is structured, and the scale at which it is done, creates a workflow that combines mixers, DeFi protocols, and bridges early on in the laundering process to convert funds across various crypto assets,” he said. “To execute this type of efficacy in stealing such large volumes of crypto, North Korea needs a large laundering network, along with streamlined mechanisms to facilitate that laundering, which likely comes in the form of the use of AI.”

Analysis of post-hack activity reveals that major North Korean thefts typically unfold over a roughly 45-day laundering window, moving through distinct phases from immediate obfuscation to final integration, Chainalysis said. While not universal, the consistency of this timeline across multiple years provides valuable intelligence for law enforcement and compliance teams seeking to intercept stolen funds before they are fully cashed out.

At the same time, the broader theft landscape is shifting. Personal wallet compromises accounted for 20% of total value stolen in 2025, dropping from 44% last year. While the number of incidents surged to 158,000, the dollar value taken from individual victims fell 52% to $713 million. The data suggest attackers are targeting more users but stealing less from each.

As the year winds to a close, North Korea’s crypto hacking efforts show no sign of curtailing, the report’s findings point to an increasingly polarized threat environment: mass, low-value thefts from individuals on one end, and rare but catastrophic service-level breaches on the other, with North Korea firmly at the center of the latter.