North Korean Hackers Stole a Record $2 Billion of Crypto in 2025, Chainalysis Says

North Korean cyber units have escalated their crypto thefts, pulling in a record $2 billion in 2025 and pushing the regime’s cumulative haul to $6.75 billion. The surge is driven by a handful of massive service‑level breaches, most notably the March attack on Bybit that alone cost $1.4 billion. This concentration on centralized exchanges marks a strategic shift from frequent, low‑value hits to rare, high‑impact operations, forcing regulators and custodians to reassess perimeter defenses and incident‑response playbooks.

The laundering pipeline behind these heists is increasingly sophisticated. Chainalysis reports that DPRK‑linked actors consistently break down stolen funds into sub‑$500,000 parcels, routing them through Chinese‑language guarantee services, over‑the‑counter brokers, and a web of mixers, bridges, and selective DeFi protocols. Analysts attribute the efficiency and scale of this workflow to artificial‑intelligence tools that automate transaction routing and obfuscation, shortening the typical 45‑day laundering window. For compliance teams, the pattern signals a need for granular monitoring of small‑batch transfers and cross‑border network analysis to disrupt the cash‑out phase before funds are fully integrated.

The broader crypto theft landscape is polarizing. While total incidents rose to 158,000, the value extracted from individual wallets dropped 52% to $713 million, indicating attackers are targeting more users but extracting less per victim. This dual‑track threat—mass, low‑value consumer scams alongside catastrophic exchange breaches—complicates risk modeling for platforms. Exchanges must prioritize hardened API security, real‑time anomaly detection, and collaboration with law‑enforcement to counter state‑sponsored actors who now dominate service‑level compromises. The evolving threat underscores the importance of proactive threat‑intel sharing and adaptive security architectures in the crypto ecosystem.