North Korean hackers stole at least $2 billion in cryptocurrency this year, a record high, pushing the Democratic People’s Republic of Korea’s (DPRK) historical theft amount to $6.75 billion, according to a new report from Chainaanalysis.
This number represents a 51% increase from 2024, with fewer confirmed incidents. The numbers underscore a shift toward fewer, larger attacks, driven by the $1.4 billion Bybit hack in March.
Compared to other cybercriminals, North Korean groups overwhelmingly target large, centralized encryption services, with the goal of maximizing impact rather than frequency, the report said. In 2025, North Korea-affiliated actors caused 76% of service level compromises, the most on record.
How they launder money is also notable. While other hackers tend to distribute stolen funds via large-scale on-chain transfers, North Korean hackers consistently transact with smaller amounts of less than $500,000, demonstrating the increasing sophistication of operational security.
North Korea-related wallets show heavy reliance on Chinese-language collateral services, brokers, and over-the-counter trading networks, as well as widespread use of bridging and mixing services. They have largely avoided the DeFi lending protocols, decentralized exchanges and peer-to-peer platforms favored by other criminals. These patterns indicate structural constraints and reliance on specific regional facilitators rather than broad access to global financial infrastructure.
Earlier this year, CoinDesk reported how North Korea is now using artificial intelligence as its hacking “superpower.”
“North Korea has demonstrated its use of artificial intelligence with consistency and liquidity to facilitate the laundering of cryptocurrency thefts,” Andrew Fierman, director of national security intelligence at Chainaanalysis, told CoinDesk.
“The structural mechanics of money laundering, and the scale at which it is accomplished, create a workflow that combines mixers, DeFi protocols, and bridges early in the laundering process to convert funds into various cryptoassets,” he said. “In order to perform the function of stealing such large amounts of cryptocurrency, North Korea would need a large money laundering network, as well as streamlined mechanisms to facilitate money laundering, which will most likely come in the form of the use of artificial intelligence.”
Chainaanalysis said that analysis of post-hack activity shows that major thefts in North Korea typically unfold within a money laundering window of approximately 45 days, going through different stages from immediate obfuscation to final integration. While not universal, the consistency of this timeline over the years has provided law enforcement and compliance teams with valuable intelligence as they intercept stolen funds before they are fully cashed out.
At the same time, the broader theft landscape is changing. In 2025, the stolen value of personal wallets will account for 20% of the total value stolen, down from 44% last year. While the number of incidents surged to 158,000, individual victim losses fell 52% to $713 million. Data shows that attackers target more users but steal less information from each user.
As the year comes to an end and North Korea’s cryptocurrency hacking activity shows no signs of abating, the report’s findings point to an increasingly polarized threat environment: large-scale, low-value thefts targeting individuals on the one hand, and rare but catastrophic service level breaches on the other, with North Korea undoubtedly at the center of the latter.
