How North Korea Pulled Off $2 Billion in Crypto Theft in 2025
The crypto industry experienced a major escalation in global cryptocurrency theft in 2025, with losses exceeding $3.4 billion between January and early December, according to a new report from Chainalysis.
The surge was largely driven by North Korea-linked hackers, who were responsible for the majority of stolen funds during the year.
Inside North Korea’s Record $2 Billion Crypto TheftIn its latest report, blockchain analytics firm Chainalysis pointed out that there was a significant decline in the Democratic People’s Republic of Korea’s (DPRK) attack frequency. Still, they achieved a record-breaking year in terms of cryptocurrency theft.
North Korean hackers stole at least $2.02 billion in digital assets in 2025. This marked a 51% year-over-year increase. Compared with 2020 levels, the amount represents a surge of approximately 570%.
“This year’s record haul came from significantly fewer known incidents. This shift — fewer incidents yielding far greater returns — reflects the impact of the massive Bybit hack in March 2025,” Chainalysis noted.
Furthermore, the report revealed that DPRK-linked actors were responsible for a record 76% of all service compromises during the year.
Taken together, the 2025 figures push the lower-bound cumulative estimate of cryptocurrency funds stolen by North Korea to $6.75 billion.
“This evolution is a continuation of a long-term trend. North Korea’s hackers have long demonstrated a high degree of sophistication, and their operations in 2025 highlights that they are continuing to evolve both their tactics and their preferred targets,” Andrew Fierman, Chainalysis Head of National Security Intelligence, told BeInCrypto.
Drawing on historical data, Chainalysis determined that the DPRK continues to carry out significantly higher-value attacks than other threat actors.
“This pattern reinforces that when North Korean hackers strike, they target large services and aim for maximum impact,” the report reads.
DRPK vs Other Hackers. Source: Chainalysis
According to Chainalysis, North Korea-linked hackers are increasingly generating outsized results by placing operatives in technical roles within crypto-related companies. This approach, one of the principal attack vectors, enables threat actors to gain privileged access and execute more damaging intrusions.
In July, blockchain investigator ZachXBT published an exposé claiming that North Korea-linked operatives infiltrated between 345 and 920 jobs across the crypto industry.
“Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and web3 firms, which can accelerate initial access and lateral movement ahead of large‑scale theft,” the report stated.
Threat actors have also adopted recruitment-style tactics, posing as employers to target individuals already working in the sector.
Furthermore, BeInCrypto recently reported that hackers were impersonating trusted industry contacts in fake Zoom and Microsoft Teams meetings. Using this tactic, they stole more than $300 million.
“DPRK will always seek to identify new attack vectors, and areas where vulnerabilities exist to exploit funds. Combine that with the regimes’ lack of access to the global economy, and you end up with a motivated, sophisticated nation state threat that seeks to gain as much capital for the regime as possible. As a result, private key compromises of centralized services have driven significant proportions of exploit volume this year,” Fierman detailed.
These North Korean hackers are advanced, creative and patient. I have seen/heard:
1. They pose as job candidates to try to get jobs in your company. This gives them a “foot in the door”. They especially like dev, security, finance positions.
2. They pose as employers and try to… https://t.co/axo5FF9YMV