Over $3.4 billion in crypto stolen throughout 2025, with North Korea again the top culprit

Steven

Over $3.4 billion in crypto stolen throughout 2025, with North Korea again the top culprit

Summary

Chainalysis says more than $3.4 billion of cryptocurrency was stolen in 2025, with at least $2.02 billion — around 59% of the total — attributed to North Korean-linked actors. The year saw fewer but much larger hits, including a $1.5 billion theft from Bybit and a separate $30 million strike allegedly tied to North Korea. Attackers focused on large, centralised targets and relied on private key compromises, social engineering and supply-chain tactics. Laundering approaches shifted too: Pyongyang-linked groups moved funds in smaller $500,000 slices and relied heavily on Chinese-language platforms, OTC traders and weak-compliance exchanges.

Key Points

  • Total crypto theft in 2025: more than $3.4 billion.
  • At least $2.02 billion attributed to North Korean-linked hackers — $681 million more than in 2024.
  • Major incidents include a $1.5 billion Bybit theft and an alleged $30 million Upbit incident.
  • Attack methods: private key compromises, social engineering, supply-chain exploits and infiltration via a parallel IT worker recruitment campaign.
  • Laundering tactics: breaking funds into ~$500,000 chunks, using Chinese-language platforms with weak compliance and OTC networks across the Asia-Pacific region.
  • Since 2022 Chainalysis links North Korea to roughly $6.75 billion in stolen crypto; 76% of value-based service compromises in 2025 were tied to North Korea.

Content Summary

Chainalysis’ annual review highlights a shift in 2025 from many small thefts to a smaller number of high-value intrusions. North Korean operators concentrated on large centralised services with substantial reserves, using social engineering and insider-style tactics — including recruiting IT workers into roles at exchanges and custodians — to obtain private keys and implant backdoors.

Once stolen, funds were laundered differently from typical cybercrime norms: instead of moving million-plus-dollar tranches, Pyongyang-linked groups preferred ~$500,000 transfers through Chinese-language platforms with lax controls, OTC traders and informal money-laundering networks in the region. Chainalysis points to deep integration between DPRK actors and Asia-Pacific illicit finance services as a key enabler.

Context and Relevance

This is one of the most significant crypto-crime reports of the year because it shows a state-level actor refining both attack and laundering tradecraft to target the largest pools of crypto liquidity. For anyone in crypto ops, compliance, risk or cyber defence, the report underscores why centralised reserves, private-key management and vendor/supply-chain security must be priorities.

The laundering detail — smaller tranche sizes, heavy use of Chinese-language services and OTC traders — also matters for sanctions enforcement and transaction monitoring teams, who will need tailored rules to spot these patterns rather than relying on older heuristics that expect million-dollar moves.

Why should I read this?

Quick take: if you care about crypto risk, regulation or security, this one’s essential. It shows state-backed actors getting smarter — hitting fewer targets but with far bigger paydays, and laundering cash in ways that dodge the usual red flags. Read it to know what to watch for and where your controls are most exposed.

Author style

Punchy: this report matters. It’s not just another quarterly stat — it demonstrates a tactical evolution by an actor using state resources to monetise crypto, and the consequences ripple across exchanges, custodians and compliance teams. Worth a close read if you work in the space.

Source

Source: https://therecord.media/over-3-billion-crypto-stolen-2025-north-korea