North Korean hackers enjoy a "lucrative year": record-breaking thefts in 2025, with money laundering cycles of approximately 45 days.

Written by: Chainalysis

Compiled by: Felix, PANews

In response to the increasing attacks on the crypto industry by North Korean hackers, Chainalysis' 2025 Hacking Report focused on analyzing the attack methods of North Korean hackers. Details are as follows.

Key points:

• North Korean hackers stole $2.02 billion worth of cryptocurrency in 2025, a 51% increase year-over-year. Despite a decrease in the number of attacks, their total thefts have reached $6.75 billion.
• North Korean hackers have stolen more cryptocurrency with fewer attacks, often by infiltrating IT staff into crypto services or using sophisticated impersonation tactics targeting executives.
• North Korean hackers clearly favor Chinese-language money laundering services, cross-chain bridging services, and coin mixing protocols. After a major theft, their money laundering cycle is approximately 45 days.
• In 2025, the number of personal wallet thefts surged to 158,000, affecting 80,000 users, although the total value stolen ($713 million) decreased compared to 2024.
• Despite an increase in total value locked (TVL) in DeFi, hacker losses in 2024 and 2025 remained at a low level, indicating that improvements in security measures are having a significant effect.

In 2025, the crypto ecosystem faced another severe challenge, with stolen funds continuing to rise. Analysis revealed four key characteristics of crypto theft patterns: North Korean hackers remained the primary source of threat; individual attacks against centralized services became increasingly serious; personal wallet thefts surged; and DeFi hacking trends unexpectedly diverged.

Overall Situation: Over $ 3.4 billion was stolen in 2025 .

From January to early December 2025, the crypto industry suffered more than $3.4 billion in thefts, of which $1.5 billion was stolen from Bybit in February alone.

The data also reveals significant changes in these thefts. Thefts of personal wallets increased dramatically, rising from 7.3% of total stolen value in 2022 to 44% in 2024. Had it not been for the significant impact of the Bybit attack, this proportion might have reached 37% in 2025.

Meanwhile, centralized services are suffering increasing losses due to sophisticated attacks targeting private key infrastructure and signing processes. Despite their institutional resources and professional security teams, these platforms remain vulnerable to threats that can bypass cold wallet control. Although such intrusions are infrequent (as shown in the figure below), they can result in massive thefts when they occur, accounting for 88% of total losses in the first quarter of 2025. Many attackers have developed methods to exploit third-party wallet integrations and trick signers into authorizing malicious transactions.

Despite improvements in encryption security in some areas, the high amount of money stolen indicates that attackers can still succeed through a variety of means.

The top three hacker attacks accounted for 69% of the total losses , with extreme cases reaching 1000 times the median.

Historically, fund theft has been driven by extreme events, with most hacks being relatively small-scale, though a few are massive. However, the situation worsened in 2025: the ratio of the largest hack to the median of all incidents surpassed 1,000 times for the first time. Today, the funds stolen in the largest attacks are 1,000 times that of those stolen in ordinary incidents, even exceeding the peak of the 2021 bull market. These calculations are based on the dollar value of the stolen funds at the time of the theft.

This widening gap leads to a high concentration of losses. The top three hacking attacks will account for 69% of all losses by 2025, with individual incidents having an exceptionally significant impact on total annual losses. While attack frequency may fluctuate, and median losses may increase as asset prices rise, the potential losses from individual critical vulnerabilities are increasing at an even faster rate.

Although the number of confirmed attacks has decreased, North Korea remains the primary threat.

Despite a significant decrease in the frequency of attacks, North Korea remains the country posing the most serious threat to crypto security, with its cryptocurrency thefts reaching a record high of at least $2.02 billion in 2025 ($681 million more than in 2024), a 51% year-on-year increase. In terms of the amount stolen, this was the worst year for cryptocurrency thefts from North Korea on record, with North Korean attacks accounting for 76% of all intrusions, a record high. Overall, the cumulative total amount of cryptocurrency stolen by North Korea is estimated at a minimum of $6.75 billion.

North Korean hackers are increasingly using IT personnel—one of their primary attack methods—to gain privileged access and carry out major attacks. This year's record number of attacks may reflect, in part, North Korea's growing reliance on IT personnel infiltrating exchanges, hosting firms, and Web3 companies, which can expedite initial access and lateral movement, thus facilitating large-scale theft.

However, recent North Korean-linked hacking groups have completely disrupted this IT worker model. Instead of simply applying for jobs and infiltrating as employees, they increasingly impersonate recruiters from well-known Web3 and AI companies, meticulously crafting fake recruitment processes. Ultimately, under the guise of "technical screening," they obtain victims' login credentials, source code, and VPN or single sign-on (SSO) access to their current employers. At the executive level, similar social engineering tactics take the form of contacts from fake strategic investors or acquirers. They utilize pitching sessions and fake due diligence to probe sensitive system information and potentially high-value infrastructure—an evolution directly building upon North Korean IT worker fraud and focusing on strategically important AI and blockchain companies.

As seen in recent years, North Korea's ongoing cyberattacks are far more valuable than those of other hackers. As shown in the figure below, from 2022 to 2025, North Korean attacks occupied the highest value range, while non-North Korean attacks were distributed more normally across all theft scales. This pattern further indicates that when North Korean hackers launch attacks, they target large services to maximize their impact.

This year’s record losses stem from a significant decrease in known incidents. This shift (fewer incidents but significantly increased losses) reflects the impact of the massive Bybit hack in February 2025.

North Korea's unique money laundering methods

The massive influx of stolen funds in early 2025 revealed how North Korean hackers were laundering cryptocurrency on a large scale. Their methods were distinctly different from those of other cybercriminals and have evolved over time.

North Korea's money laundering activities exhibit a clear "tiered" pattern, with over 60% of transactions concentrated below $500,000. In contrast, over 60% of funds transferred on-chain by other hackers are conducted in batches ranging from $1 million to over $10 million. Although North Korea launders larger sums each time, they divide their on-chain transfers into smaller batches, highlighting the complexity of their money laundering methods.

Compared to other hackers, North Korea exhibits a clear preference in certain money laundering processes:

North Korean hackers tend to:

• Chinese-language money transfer and escrow services (+355% to over 1000%): This is the most distinctive feature, heavily reliant on Chinese-language escrow services and money laundering networks comprised of numerous money laundering operators with potentially weak compliance controls.
• Cross-chain bridge services (+97%): heavily rely on cross-chain bridges to transfer assets between different blockchains and attempt to increase the difficulty of tracking.
• Mixing services (+100%): More frequent use of mixing services in an attempt to conceal fund flows.
• Huione and other professional services (+356%): Strategically using specific services to facilitate their money laundering activities.

Other hackers involved in money laundering activities tend to:

• Lending protocols (-80%): North Korea avoids using these DeFi services, demonstrating its limited integration with the broader DeFi ecosystem.
• No-KYC Exchanges (-75%): Surprisingly, other hackers use no-KYC exchanges more often than North Korea.
• P2P Exchanges (-64%): North Korea shows limited interest in P2P platforms.
• CEX (-25%): More direct interactions between other hackers and traditional exchange platforms
• DEX (-42%): Other hackers prefer to use DEXs because of their high liquidity and strong anonymity.

These patterns suggest that North Korean operations are subject to constraints and targets different from those of non-state-sponsored cybercriminals. Their extensive use of professional Chinese-language money laundering services and over-the-counter (OTC) traders indicates close ties between North Korean hackers and illicit actors in the Asia-Pacific region.

Timeline of money laundering following North Korean hacking attack

Analysis of on-chain activity following hacking incidents attributed to North Korea between 2022 and 2025 reveals a consistent pattern with the flow of stolen funds within the crypto ecosystem. Following major thefts, the stolen funds followed a structured, multi-stage money laundering path that lasted approximately 45 days.

Phase 1: Immediate Stratification ( Days 0-5 )

In the initial days following the hack, a series of unusually active activities were observed, focusing on immediately transferring funds away from the source of the theft:

• DeFi protocols saw the largest increase in stolen funds (+370%), making them a key entry point.
• The trading volume of coin mixing services also increased significantly (+135-150%), constituting the first layer of confusion.
• This stage represents an urgent "first step" action aimed at distancing oneself from the initial theft.

Phase Two: Initial Integration ( Days 6-10 )

Entering the second week, money laundering strategies shifted towards services that could help integrate funds into a broader ecosystem:

• Exchanges with fewer KYC restrictions (+37%) and CEXs (+32%) have begun to accept fund flows.
• The second-tier money mixing service (+76%) continued money laundering activities at a lower intensity.
• Cross-chain bridging (such as XMRt, +141%) helps to decentralize and mask the flow of funds between blockchains.
• This phase is a crucial transition period, during which funds begin to flow into potential exit channels.

Phase 3: Long Tail Integration ( Days 20-45 )

The final stage clearly favors services that can ultimately be converted into fiat currency or other assets:

• The usage of exchanges that do not require KYC (+82%) and escrow services (such as Tudou Danbao, +87%) has increased significantly.
• Instant exchanges (+61%) and Chinese platforms (such as Huiwang, +45%) became the ultimate redemption points.
• The fact that CEX (+50%) is also accepting funds suggests a sophisticated attempt to mix funds with legitimate capital.
• Less regulated jurisdictions, such as those with Chinese money laundering networks (+33%) and Grinex (+39%), have perfected this model.

This typically 45-day window for money laundering operations provides crucial intelligence to law enforcement and compliance teams. The fact that this pattern has persisted for years suggests that North Korean hackers face operational limitations, likely related to their limited access to financial infrastructure and the need for coordination with specific intermediaries.

While these hackers don't always follow this exact timeline—some stolen funds remain dormant for months or years—this pattern represents typical on-chain behavior when actively laundering money. Furthermore, it's crucial to recognize potential blind spots in this analysis, as certain activities (such as private key transfers or off-exchange cryptocurrency-to-fiat currency exchanges) may not be visible on-chain without corroborating intelligence.

Personal wallet theft: A growing threat to individual users

Analysis of on-chain patterns, along with reports from victims and industry partners, reveals the severity of personal wallet theft, although the actual number of thefts is likely much higher. At a minimum estimate, personal wallet theft accounted for 20% of total losses in 2025, down from 44% in 2024, indicating a shift in both scale and patterns. The total number of thefts surged to 158,000 in 2025, nearly three times the 54,000 recorded in 2022. The number of victims increased from 40,000 in 2022 to at least 80,000 in 2025. These significant increases are likely due to the wider adoption of cryptocurrencies. For example, Solana, one of the blockchains with the most active personal wallets, far surpasses Solana in the number of thefts (approximately 26,500 victims).

However, despite the increase in the number of incidents and victims, the total amount of US dollars stolen from an individual victim in 2025 decreased to $713 million from a peak of $1.5 billion in 2024. This indicates that while attackers are targeting more users, the amount stolen from each victim is decreasing.

Victim data for specific networks provides further insights into which sectors pose the greatest threat to crypto users. The chart below shows victim data adjusted for active individual wallets across various networks. Measured by the crime rate per 100,000 wallets in 2025, Ethereum and Tron have the highest theft rates. Ethereum's massive user base suggests a high theft rate and a large number of victims, while Tron's ranking shows a high theft rate despite having fewer active wallets. In contrast, Base and Solana have lower victim rates despite their large user bases.

This indicates that the security risks of personal wallets are not uniform across the crypto ecosystem. Even with similar technical architectures, the victimization rates differ across different blockchains, suggesting that factors beyond technology, such as user demographics, popular applications, and criminal infrastructure, also play a significant role in determining theft rates.

DeFi hacks: Divergent patterns foreshadow market shifts

The DeFi sector exhibited a unique pattern in crime data in 2025, which deviated significantly from historical trends.

The data shows three distinct phases:

• Phase 1 (2020-2021): DeFi TVL and hacker attack losses increased in tandem.
• Phase Two (2022-2023): Both indicators decline simultaneously.
• Phase 3 (2024-2025): TVL recovers, while hacker attack losses remain stable.

The first two phases follow an intuitive pattern: the greater the value of the risk, the more value can be stolen, and the more aggressively hackers target high-value protocols. As bank robber Willie Sutton put it, "Because there's money there."

This makes the differences in the third phase even more pronounced. DeFi TVL has rebounded significantly from its 2023 lows, but losses from hacks have not increased accordingly. Despite billions of dollars flowing back into these protocols, DeFi hacking incidents have remained at a low level, representing a significant shift.

The following two factors may explain this difference:

• Security improvements: Despite the continued growth of TVL, the hacking rate has continued to decline, suggesting that DeFi protocols may be implementing more effective security measures than during 2020-2021.
• Target Shift: The simultaneous increase in personal wallet thefts and centralized service attacks suggests that attackers may be shifting their focus to other targets.

Case Study: Security Responses to Venus Protocol

The Venus Protocol incident in September 2025 demonstrated that improved security measures were having a real impact. At that time, attackers used a compromised Zoom client to gain system access and tricked a user into granting delegated permissions to their $13 million account—a situation that could have had catastrophic consequences. However, Venus had enabled Hexagate's security monitoring platform just one month prior.

The platform detected suspicious activity 18 hours before the attack and immediately issued another alert as soon as the malicious transaction occurred. Within 20 minutes, Venus suspended its protocol, blocking any further fund flows. This coordinated response demonstrates the evolution of DeFi security:

• Within 5 hours: Some functions will be restored after the security check is completed.
• Within 7 hours: Force liquidation of the attacker's wallet
• Within 12 hours: Recover all stolen funds and restore service.

Most notably, Venus passed a governance proposal that froze $3 million in assets still under the attacker's control; the attacker not only failed to profit but also lost money.

This incident demonstrates a tangible improvement in DeFi security infrastructure. The combination of proactive monitoring, rapid response capabilities, and governance mechanisms that enable decisive action has made the entire ecosystem more flexible and resilient. While attacks still occur, the ability to detect, respond to, and even reverse them has fundamentally changed compared to the early DeFi era when successful attacks often meant permanent losses.

Impact on 2026 and beyond

The 2025 data reveals a complex evolution of North Korea as the biggest threat to the crypto industry. While the number of attacks decreased, the destructiveness increased significantly, indicating more sophisticated and patient tactics. The impact of the Bybit incident on its annual activity patterns suggests that when North Korea successfully commits a major theft, it slows down its operations and focuses instead on money laundering.

For the crypto industry, this evolution necessitates heightened vigilance against high-value targets and improved identification of specific money laundering patterns in North Korea. Their persistent preference for particular service types and transaction amounts provides an opportunity for detection, distinguishing them from other criminals and helping investigators identify their on-chain behavioral characteristics.

As North Korea continues to use cryptocurrency theft to fund national priorities and circumvent international sanctions, the crypto industry must recognize that North Korea's operating methods are drastically different from those of typical cybercriminals. North Korea's record-breaking performance in 2025 (with a known 74% reduction in attacks) suggests that we may only be seeing the most visible aspects of its activity. The challenge in 2026 lies in detecting and preventing North Korea from launching attacks of similar scale to Bybit again.