North Korean-linked hacking groups stole at least $2.02 billion in cryptocurrency during 2025, marking the largest annual haul ever attributed to the regime, according to a new report from blockchain analytics firm Chainalysis.
The figure represents a 51% increase compared to 2024 and pushes the total amount stolen by North Korea since tracking began to an estimated $6.75 billion.
Fewer Attacks, Much Larger Impact
While the overall value stolen surged, the number of known attacks actually declined. Chainalysis notes a clear shift in strategy, with hackers focusing on fewer but far more damaging operations. This change was highlighted by the February 2025 breach of the Bybit exchange, where attackers drained roughly $1.5 billion in a single incident. That one attack alone accounted for the majority of the year’s total losses.
The trend suggests North Korean cyber units are prioritizing access to high-value targets rather than executing a large number of smaller hacks.
Crypto Theft As A Sanctions Workaround
According to the report, stolen digital assets remain a crucial funding source for Pyongyang. The proceeds are believed to help the regime bypass international sanctions and finance weapons of mass destruction and ballistic missile programs. Chainalysis and other intelligence agencies have repeatedly linked crypto theft operations to state-sponsored efforts to support North Korea’s military ambitions.
Social Engineering Replaces Technical Exploits
The report highlights a notable evolution in attack methods. Rather than relying primarily on technical vulnerabilities, North Korean hackers are increasingly exploiting human behavior. Common tactics include embedding IT workers inside target companies, impersonating executives, or using sophisticated social engineering schemes to obtain privileged access.
This shift underscores that the weakest point in many security systems is no longer the code, but the people operating it.
Laundering Through Cross-Chain Tools And Mixers
Once funds are stolen, laundering remains highly structured. Chainalysis found that North Korean actors often favor Chinese-language laundering services, cross-chain bridges, and mixing protocols. Transactions are typically broken into smaller amounts to reduce the risk of detection as funds move across multiple networks.
These methods complicate tracking efforts and slow down enforcement actions, even when stolen funds are identified quickly.
Growing Focus On Individual Wallets
In addition to exchanges, the report points to a rising number of attacks on high-net-worth individual wallets. These targets often lack the layered security and monitoring used by large platforms, making them more vulnerable despite holding substantial balances.
Chainalysis concludes that as institutional defenses improve, attackers are increasingly shifting toward individuals as an easier entry point into the crypto ecosystem.
A Changing Threat Landscape
The 2025 figures reinforce the view that North Korea’s cyber operations are becoming more targeted, more patient, and more financially impactful. With fewer attacks generating far greater losses, the report warns that both institutions and individuals must adapt their security practices to a threat environment where human trust is increasingly being weaponized.
