On December 18, 2025, new data revealed that North Korea has driven a record-breaking $2.02 billion in cryptocurrency theft this year, pushing its all-time total to an astonishing $6.75 billion.
The findings highlight a dramatic escalation in the scale of cyberattacks linked to the Democratic People’s Republic of Korea (DPRK), even as the number of confirmed incidents has sharply declined.
According to Chainalysis, the surge reflects increasingly sophisticated tactics and a shift toward fewer but far more damaging operations.
The report shows that DPRK-linked hackers accounted for 76% of all service compromises in 2025, marking the most severe year on record.
Despite a 74% drop in known attack frequency, the total value stolen soared by 51% compared to 2024.
This trend underscores a strategic evolution: instead of frequent small breaches, North Korean threat actors are now executing fewer, high-impact attacks targeting major exchanges and centralized services.
North Korea’s Crypto Theft Hits $2 Billion in 2025
One of the biggest contributors to this year’s spike was the massive Bybit hack in February 2025, which alone accounted for $1.5 billion in stolen funds.
Chainalysis notes that centralized platforms remain vulnerable due to private key compromises, which represented 88% of losses in Q1 2025.
Meanwhile, personal wallet compromises surged to 158,000 incidents affecting at least 80,000 victims, although the total value stolen from individuals dropped to $713 million.
The report also highlights that the top three hacks of 2025 accounted for 69% of all service-related losses.
The largest incidents were more than 1,000 times bigger than the median theft, marking the first time this threshold has been crossed. This widening gap shows how catastrophic single breaches have become in the crypto ecosystem.
DPRK’s Laundering Tactics Grow More Sophisticated
North Korean cybercriminals continue to rely heavily on Chinese-language money laundering networks, cross-chain bridges, and mixing services.
Over 60% of their laundering activity involves transfers under $500,000, a tactic designed to avoid detection.
Chainalysis reports that DPRK-linked actors follow a predictable 45-day laundering cycle after major hacks, moving funds through multiple waves of DeFi protocols, mixers, and no-KYC exchanges.
In contrast, other cybercriminal groups show stronger preferences for decentralized exchanges, lending protocols, and peer-to-peer platforms.
The DPRK’s unique laundering footprint reflects its reliance on Asia-Pacific illicit networks and its need to bypass international sanctions.
With billions already stolen and laundering methods becoming more advanced, the challenge for exchanges and regulators will be detecting and stopping these operations before another Bybit-scale breach occurs.
