North Korea Stole Over $2B in Crypto in 2025 Despite Fewer Confirmed Attacks: Chainalysis

The Bybit hack alone drove nearly half of 2025 crypto losses and exposed the growing impact of single catastrophic failures.

Chainalysis has identified a major escalation in global cryptocurrency theft in 2025, with more than $3.4 billion stolen between January and early December.

This represents one of the most severe years on record for crypto-related crime. A single incident, the compromise of Bybit, accounted for approximately $1.5 billion of that total.

Crypto Crime Enters a New Era

The data also points to meaningful structural change in where losses are occurring. Personal wallet compromises have grown significantly over recent years, and rose from just 7.3% of total stolen value in 2022 to 44% in 2024.

In 2025, however, the distribution of stolen funds would have looked substantially different were it not for the outsized impact of the Bybit incident, which heavily skewed losses back toward centralized services. These services continue to face a fundamental challenge around private key security. While large-scale key compromises remain infrequent, their consequences are severe when they do occur. As a result, centralized platforms accounted for 88% of stolen value in the first quarter of 2025, despite the relatively low number of such incidents.

The report pointed to a massive widening in the gap between typical crypto thefts and the largest attacks. Historically, stolen fund activity has always been driven by outliers, but in 2025, the ratio between the largest hack and the median incident crossed the 1,000x threshold for the first time, based on the USD value of funds at the time of theft.

This surpasses even the extremes observed during the 2021 bull market and indicates a growing concentration of risk. In practical terms, the top three hacks in 2025 accounted for 69% of all service-related losses, which demonstrated how individual breaches now exert an outsized influence on annual totals even as median incident sizes continue to move more gradually with asset prices.

North Korea remains the dominant nation-state threat actor in this environment. In 2025, DPRK-linked hackers stole at least $2.02 billion in cryptocurrency, $681 million more than in 2024. It represented a 51% year-over-year increase and accounted for a record 76% of all service compromises.

You may also like:

Fewer Hacks, Bigger Hauls

This occurred despite an assessed reduction in the number of confirmed DPRK-attributed incidents, pushing the lower-bound cumulative estimate of cryptocurrency stolen by North Korea to $6.75 billion. Chainalysis attributes the scale of these thefts to North Korea’s growing reliance on embedded IT workers, who infiltrate exchanges, custodians, and Web3 firms to secure privileged internal access ahead of major breaches.

The report also provides rare insight into DPRK laundering behavior. While North Korean hackers consistently steal larger sums, they tend to move funds on-chain in smaller tranches, with over 60% of volume transferred below $500,000.

Their laundering activity shows strong preferences for Chinese-language guarantee and money movement services, cross-chain bridges, mixing services, and specialized platforms. These collectively indicate how crypto theft in 2025 has become more concentrated, more strategic, and increasingly driven by geopolitical actors rather than opportunistic