invezz.com
North Korean state-linked hacks stole at least $2.02 billion in digital assets in 2025, a 51% year-on-year jump, according to Chainalysis.
They accounted for a record 76% of service-level compromises, pushing the DPRK’s lower-bound cumulative haul to $6.75 billion.
Across the market, theft exceeded $3.4 billion from January through early December, propelled by a handful of outsized breaches led by the $1.4 billion hack of Bybit.
Chainalysis said just three incidents made up 69% of losses, underscoring a shift toward fewer but larger attacks.
A record year for crypto hacks
Copy link to section
Chainalysis’ report found that the top three hacks in 2025 comprised 69% of all service losses, with the largest incident exceeding 1,000 times the median theft for the first time.
The firm also highlighted that private key compromises drove 88% of losses in the first quarter, even at organisations with institutional security teams.
The March Bybit breach was the year’s biggest single event at $1.4 billion, setting the tone for an outlier-driven year where a small number of hits caused most of the damage.
Chainalysis said investigators actually confirmed fewer incidents, but the average impact per incident rose.
DPRK tactics: fewer attacks, bigger hauls
Copy link to section
Unlike other criminal groups, North Korean operators primarily target large centralised services for maximum effect, according to Chainalysis.
The firm said DPRK-linked actors increasingly embed IT workers inside exchanges, custodians, and Web3 firms to gain privileged access that can be leveraged for high-impact compromises.
Chainalysis also described a disciplined laundering playbook that typically unfolds over roughly 45 days after a major theft.
DPRK-linked wallets rely heavily on Chinese-language guarantee services, brokers, and over-the-counter networks, and make extensive use of cross-chain bridges and mixing services, while largely avoiding DeFi lending protocols, decentralized exchanges, and peer-to-peer venues favored by other actors.
Their on-chain behaviour is distinct. Chainalysis said slightly over 60% of DPRK-linked transfers occur in tranches below $500,000, whereas other groups more often move funds in million-dollar or larger batches.
Personal wallets see more incidents, smaller sums
Copy link to section
On the other end of the spectrum, personal wallets have remained a popular target.
Chainalysis said they represented 7.3% of the stolen value in 2022 and 44% in 2024.
In 2025, the share is around 20%, though excluding the Bybit incident, it would be closer to 37%.
The total value taken from individuals fell from $1.5 billion in 2024 to $713 million this year, even as incidents surged to 158,000 with at least 80,000 victims.
Chainalysis said attackers are hitting more users but extracting less per victim.