In brief
- Hackers linked to the Democratic People’s Republic of Korea (aka North Korea) have stolen $2.02 billion worth of crypto so far in 2025.
- That's a 51% increase from last year, and accounts for 59% of all stolen crypto funds so far this year.
- Chainalysis says that attackers are making fewer breaches, but ultimately inflicting much more damage.
Hackers from the Democratic People’s Republic of Korea, also known as the DPRK or North Korea, have stolen $2.02 billion worth of crypto so far in 2025, a Chainalysis report revealed Thursday.
This represents a 51% increase from last year’s figure, and is the largest year on record for DPRK-related crypto theft. As a whole, crypto has seen $3.4 billion in thefts this year, the report says, meaning that DPRK attacks account for 59% of these stolen funds.
Chainalysis believes that the data shows an “evolution” from North Korea, as they start to commit fewer attacks but inflict significantly more damage with each strike. February’s $1.5 billion Bybit attack, which the FBI linked to the DPRK, is a key example of this evolution.
“For the cryptocurrency industry, this evolution demands enhanced vigilance around high-value targets and improved detection of DPRK's specific laundering patterns,” the report states. “Their consistent preferences for certain service types and transfer amounts provide detection opportunities, distinguish them from other criminals, and can help investigators identify their on-chain behavioral footprint.”
Chainalysis claims to have identified a distinct three-wave, 45-day-long laundering pattern that DPRK attackers usually follow. Identifiers include using Chinese-language services, heavy reliance on bridging assets cross-chains to confuse tracking, and greater use of crypto mixing services. This pattern, the report says, has persisted over the past few years.
Chainalysis told Decrypt that this distinct money laundering pattern is enough to link attacks to the DPRK.
"In many cases, the stolen cryptocurrency is directly funding their weapons of mass destruction programs," Andrew Fierman, head of national security intelligence at Chainalysis, told Decrypt. "The recent MSMT report details how these funds are being used to procure everything from armored vehicles to portable air-defense missile systems."
Increasingly, attacks are coming from malicious actors being hired by crypto companies. The attacker then works to gain privileged access before stealing important information or funds.
Binance told Decrypt in the summer that North Korean hackers attempt to get hired by the major centralized exchange every single day. Jimmy Su, Binance’s chief security officer, explained that attackers may even use AI-generated live video and voice changers on calls in an attempt to get hired. The exchange has identified several common telltale signs of DPRK attackers, and shares this intelligence with other crypto exchanges via Telegram and Signal.
On top of this, North Korean hackers were found poisoning NPM packages, regularly used public code libraries, to infiltrate projects. Again, Binance acknowledged this threat and claims its developers are forced to go through every code library with a fine-tooth comb.
“As North Korea continues to use cryptocurrency theft to fund state priorities and circumvent international sanctions, the industry must recognize that this threat actor operates by different rules than typical cybercriminals,” the Chainalysis report said. “The country’s record-breaking 2025 performance—achieved with 74% fewer known attacks—suggests we may be seeing only the most visible portion of its activities.”
“The challenge for 2026 will be detecting and preventing these high-impact operations before DPRK-affiliated actors inflict another Bybit-scale incident,” it finished.
Editor's note: This story was updated after publication to add comment from Chainalysis.