North Korea-Linked Hackers Steal Record $2.02 Billion in Cryptocurrency in 2025

North Korean state-sponsored hackers achieved a record-breaking year in cryptocurrency theft, stealing at least $2.02 billion from January through early December 2025. This represents a 51% increase from 2024 and pushes their cumulative known haul since 2016 to approximately $6.75 billion, according to blockchain analytics firm Chainalysis.

The surge underscores the Democratic People’s Republic of Korea (DPRK)’s reliance on crypto crime to fund state activities amid international sanctions.

Details of the Record Theft

Chainalysis reports that DPRK-linked actors (primarily the Lazarus Group) accounted for 76% of all centralized service compromises by value in 2025, despite conducting 74% fewer known attacks than in 2024.

• The largest single incident was the $1.5 billion theft from Dubai-based exchange Bybit in February 2025 — the biggest crypto heist in history.
• Overall global crypto theft reached $3.4 billion through early December, with DPRK responsible for ~60%.
• Tactics evolved: Fewer attacks but higher impact, often via embedded IT workers (infiltration of crypto firms) and advanced social engineering for privileged access.

Laundering patterns remain consistent: Funds moved in tranches under $500,000 through Chinese-language services, bridges, mixers, and DeFi protocols — often in a ~45-day cycle.

Impact and Recommendations

• Funding implications: U.S. and UN assessments indicate these thefts support DPRK’s weapons programs (nuclear/ballistic missiles).
• Industry shift: Centralized services bore the brunt (vs DeFi suppression due to better security).
• Broader threat: Personal wallet compromises rose sharply (158,000 incidents, ~$713 million stolen).

• Recommendations:
• Exchanges/custodians: Strengthen employee vetting and insider threat detection.
• Implement phishing-resistant MFA and zero-trust for privileged access.
• Monitor for anomalous transactions (small tranches, bridges/mixers).
• Use blockchain intelligence tools for real-time alerts on known DPRK addresses.
• Users: Hardware wallets, avoid unverified job offers in crypto.

North Korean threat actors are increasingly achieving these outsized results by embedding IT workers inside crypto services to gain privileged access and enable high-impact compromises.

Chainalysis Crypto Hacking Stolen Funds Report (December 2025)

Source and Full Details

Chainalysis: Crypto Hacking Stolen Funds 2025:

https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/