North Korean Hackers Enjoy 'Fat Years': Stole Record Amount in 2025, With Money Laundering Cycle of About 45 Days

Original Title: North Korea Drives Record $2 Billion Crypto Theft Year, Pushing All-Time Total to $6.75 Billion

Original Source: Chainalysis

Original Translation: Felix, PANews

Amid years of North Korean hackers targeting the crypto industry, Chainalysis' 2025 Hacker Report focuses on analyzing the behaviors of North Korean hackers. The following is a summary of the content.

Key Points:

· North Korean hackers stole $2.02 billion worth of cryptocurrency in 2025, a 51% increase year-over-year. Despite a decrease in the number of attacks, their cumulative theft total has reached $6.75 billion.

· North Korean hackers stole more cryptocurrency with fewer attacks, often by infiltrating IT staff into crypto services or using sophisticated impersonation tactics targeting executives.

· North Korean hackers notably favor Chinese money laundering services, cross-chain bridge services, and mixing protocols, with a money laundering cycle of around 45 days following major theft events.

· In 2025, individual wallet breach incidents surged to 158,000, affecting 80,000 users, although the total stolen value ($713 million) decreased compared to 2024.

· Despite an increase in Total Value Locked (TVL) in DeFi, hacker attack losses from 2024 to 2025 remained at a low level, indicating that security improvements are having a significant impact.

In 2025, the crypto ecosystem once again faced significant challenges as stolen funds continued to rise. Analysis shows that the crypto theft pattern exhibits four key features: North Korean hackers remain the primary threat actor; individual attacks on centralized services are escalating; incidents of individual wallet breaches are on the rise; and DeFi hacker attack trends show unexpected divergence.

Overall Situation: Over $3.4 Billion Stolen in 2025

From January to early December 2025, over $3.4 billion was stolen in the crypto industry, with an attack in February alone on Bybit amounting to $1.5 billion.

The data also reveals significant changes in these theft events. Individual wallet hacks have seen a sharp increase, rising from 7.3% of total hacked value in 2022 to 44% in 2024. Excluding the significant impact of the Bybit hack, this percentage may reach 37% in 2025.

Meanwhile, due to complex attacks on private key infrastructure and signature processes, centralized services are experiencing increasing losses. Despite having institutional resources and professional security teams, these platforms are vulnerable to threats that can bypass cold wallet controls. While such breaches are not frequent (as shown below), when they do occur, they result in substantial losses. In the first quarter of 2025, losses from these events accounted for 88% of the total losses. Many attackers have devised methods to exploit third-party wallet integrations and deceive signers into authorizing malicious transactions.

Although crypto security may have improved in some areas, the persistently high amount of funds stolen indicates that attackers continue to find success through various avenues.

Losses from the top three hacks accounted for 69% of the total losses, with extremes reaching 1000 times the median

Fund theft events have historically been primarily driven by extreme events, with most hacker attacks being relatively small in scale, but a few being massive. However, the situation in 2025 has worsened: the ratio between the largest-scale hack and the median of all events has exceeded the 1000x threshold for the first time. Today, the stolen funds in the largest hacks are 1000 times those in typical events, surpassing even the peak of the 2021 bull market. These calculations are based on the USD value of the funds at the time of the theft.

This growing gap is leading to highly concentrated losses. The top three hacker attacks in 2025 accounted for 69% of all losses, and the impact of a single event on the annual total loss is exceptionally significant. While attack frequencies may fluctuate and median losses may increase with asset price rises, the potential losses from individual major vulnerabilities are rising at a faster pace.

Despite a reduction in confirmed attack events, North Korea remains a primary threat

Despite a significant decrease in attack frequency, North Korea remains the most serious threat to crypto security, setting a new high in the amount of cryptocurrency funds stolen in 2025, reaching at least $2.02 billion (an increase of $681 million from 2024), a 51% year-over-year growth. In terms of stolen amounts, this was the most severe year for North Korean cryptocurrency theft cases on record, with attacks initiated by North Korea accounting for 76% of all intrusion events, reaching a historical peak. Overall, the cumulative total of cryptocurrency stolen by North Korea is estimated to be at least $6.75 billion.

North Korean hackers are increasingly planting insider IT personnel (one of their main tactics) within encrypted service organizations to gain privileged access and carry out major attacks. This year's record-breaking attack events may, to some extent, reflect North Korea's greater reliance on IT personnel to penetrate exchanges, custodians, and Web3 firms, speeding up initial access and lateral movement to enable large-scale theft.

However, recently, North Korea-affiliated hacker groups have completely disrupted this IT worker model. They are no longer just applying for positions and infiltrating as employees but are increasingly impersonating recruiters from prominent Web3 and AI companies, orchestrating elaborate fake recruitment processes, ultimately using "technical screening" as a pretext to obtain victims' login credentials, source code, and their current employer's VPN or Single Sign-On (SSO) access. At the executive level, similar social engineering tactics appear in the form of false contacts from strategic investors or acquirers, leveraging pitch meetings and pseudo due diligence to probe sensitive system information and potential high-value infrastructure—this evolution directly builds on North Korean IT worker fraud actions and focuses on strategically important AI and blockchain companies.

As seen over the past few years, the network attacks continually carried out by North Korea hold far greater value than those of other hackers. As shown in the graph below, from 2022 to 2025, North Korean hacker attacks occupy the highest value range, while non-North Korean hacker attacks exhibit a more normal distribution in all theft scales. This pattern further indicates that when North Korean hackers launch an attack, they target large services to maximize impact.

This year's record losses come from a significant decrease in known events. This shift (reduced events but significantly increased losses) reflects the impact of the February 2025 Bybit large-scale hack.

North Korea's Unique Money Laundering Pattern

The influx of a large amount of stolen funds in early 2025 revealed how North Korean hackers launder cryptocurrency on a massive scale. Their pattern is markedly different from other cybercriminals and has evolved over time.

North Korea's money laundering activities exhibit a distinct "tiered" pattern, with over 60% of transaction volume concentrated below $500,000. In contrast, other hackers transfer funds on-chain, with over 60% occurring in batches ranging from $1 million to $10 million or more. Although North Korea's laundering amounts are higher per transaction than other hackers, they divide on-chain transfers into smaller batches, highlighting the complexity of their laundering methods.

Compared to other hackers, North Korea exhibits a distinct preference in certain money laundering aspects:

North Korean hackers tend to:

· Chinese Funds Transfers and Escrow Services (+355% to over 1000%): This is the most pronounced feature, heavily relying on Chinese escrow services and a money laundering network comprised of numerous potentially less-compliant operators.

· Cross-Chain Bridge Services (+97%): High reliance on cross-chain bridges to transfer assets between different blockchains and attempt to increase traceability difficulty.

· Mixer Services (+100%): Increased use of mixer services to try to obfuscate fund flows.

· Specialized Services like Huione (+356%): Strategic use of specific services to assist their money laundering activities.

Other hackers involved in money laundering activities tend to:

· Loan Protocols (-80%): North Korea avoids using these DeFi services, showing limited integration with the broader DeFi ecosystem

· No KYC Exchange Days (-75%): Surprisingly, other hackers use no KYC exchange days more than North Korea

· P2P Exchange Days (-64%): North Korea has limited interest in P2P platforms

· CEX (-25%): Other hackers have more direct interaction with traditional exchanges

· DEX (-42%): Other hackers are more inclined to use DEX, known for high liquidity and strong anonymity

These patterns suggest that North Korea's operations are influenced by constraints and objectives distinct from non-state-sponsored cybercriminals. They heavily utilize professional Chinese money laundering services and over-the-counter (OTC) traders, indicating close ties of North Korean hackers with illicit actors in the Asia-Pacific region.

Timeline of North Korean Hacker Attack Post-Theft Money Laundering

An analysis of on-chain activity following hacker events attributed to North Korea between 2022 and 2025 shows a consistent pattern of the stolen funds' movement within the crypto ecosystem. Following major theft events, the stolen funds undergo a structured, multi-stage laundering process lasting approximately 45 days:

Stage One: Immediate Layering (Days 0-5)

In the initial days following a hack, a series of unusually active movements were observed, focusing on swiftly moving funds out from the compromised source:

· The highest surge in flow of stolen funds was seen in DeFi protocols (+370%), becoming a primary entry point.

· Transaction volume in mixing services also significantly increased (+135-150%), forming the first layer of obfuscation.

· This phase represented an urgent "step one" action aimed at distancing from the initial theft.

Phase Two: Initial Integration (Days 6-10)

Moving into the second week, the money laundering strategy shifted towards services that could help the funds blend into a broader ecosystem:

· KYC-light exchanges (+37%) and CEXs (+32%) began accepting fund flows.

· Second-layer mixing services (+76%) carried out money laundering activities with lower intensity.

· Cross-chain bridges (e.g., XMRt, +141%) helped disperse and conceal fund movement across blockchains.

· This phase marked a crucial transitional period as funds started moving towards potential exit ramps.

Phase Three: Long-Tail Integration (Days 20-45)

The final phase noticeably favored services that could eventually facilitate conversion into fiat or other assets:

· Usage of no KYC exchanges (+82%) and escrow services (like Potato Exchange, +87%) saw significant growth.

· Instant exchanges (+61%) and Chinese platforms (e.g., Huobi, +45%) became the ultimate conversion points.

· CEXs (+50%) also received funds, indicating attempts to commingle illicit funds with legitimate funds.

· Jurisdictions with fewer regulations, such as Chinese money laundering networks (+33%) and platforms like Grinex (+39%), rounded out this pattern.

This typical 45-day money laundering operating window provides crucial intelligence for law enforcement and compliance teams. This pattern has persisted for years, indicating operational constraints faced by North Korean hackers, possibly due to limited avenues to access financial infrastructure and the need to coordinate with specific intermediaries.

While these hackers do not always strictly adhere to this exact timeline—some stolen funds may lie dormant for months or years—this pattern represents their typical on-chain behavior during active money laundering. Furthermore, it is important to recognize potential blind spots in this analysis, as certain activities (such as private key transfers or off-chain crypto-to-fiat exchanges) may not be visible on-chain without corroborating intelligence.

Personal Wallet Theft: Growing Threat to Individual Users

Through on-chain pattern analysis and reports from victims and industry partners, the severity of personal wallet theft can be understood, although the actual number of thefts is likely much higher. At a minimum, the value loss due to personal wallet theft in 2025 accounts for 20% of the total losses, down from 44% in 2024, indicating a shift in both scale and pattern. The total number of theft cases in 2025 soared to 158,000, nearly triple the 54,000 recorded in 2022. The number of victims increased from 40,000 in 2022 to at least 80,000 in 2025. These significant increases are likely due to the wider adoption of cryptocurrency. For example, Solana, one of the blockchains with the most active personal wallets, leads by a large margin in the number of theft cases (approximately 26,500 victims).

However, despite the increase in the number of incidents and victims, the total dollar amount stolen from a single victim in 2025 dropped from a peak of $1.5 billion in 2024 to $713 million. This suggests that while the number of targeted users has increased, the amount stolen per victim has decreased.

The victim data for specific networks provides more insights into which areas pose the greatest threat to crypto users. The graph below shows adjusted victim data for active personal wallets on each network. Measured by the crime rate per 100,000 wallets in 2025, Ethereum and Tron have the highest theft rates. Ethereum's large user base indicates higher theft rates and victim numbers, while Tron's ranking shows that despite having fewer active wallets, its theft rate remains high. In contrast, although Base and Solana have a large user base, their victimization rates are lower.

This indicates that the security risks of personal wallets in the crypto ecosystem are not equal. Even with similar technical architectures, theft rates vary across different blockchains, suggesting that factors such as user demographics, popular applications, and criminal infrastructure play important roles in determining theft rates alongside technical considerations.

DeFi Hacks: Differential Patterns Foretell Market Shift

The DeFi sector exhibits a unique pattern in the 2025 crime data, deviating significantly from historical trends.

The data shows three distinct phases:

· Phase One (2020-2021): DeFi TVL and hacker attack losses grew in tandem

· Phase 2 (2022-2023): Simultaneous Decrease in Two Metrics

· Phase 3 (2024-2025): TVL Recovery with Stable Hack Losses

The first two phases follow an intuitive pattern: the greater the at-risk value, the more value is available to steal, leading to larger-scale hacks targeting high-value protocols. As bank robber Willie Sutton famously said: "Because that's where the money is."

This makes the difference in the third phase more pronounced. While DeFi TVL has significantly rebounded from its 2023 low, losses from hacks have not increased proportionally. Despite billions of dollars flowing back into these protocols, DeFi hack events have remained at a relatively low level, marking a significant shift.

Two factors may explain this difference:

· Enhanced Security: Despite the continuous TVL growth, the hack rate has been consistently decreasing, indicating that DeFi protocols may be implementing more effective security measures than during 2020-2021.

· Target Shifting: The simultaneous increase in individual wallet thefts and centralized service attacks suggests that attackers' focus may be shifting to other targets.

Case Study: Venus Protocol's Security Response

The Venus Protocol incident in September 2025 illustrates the tangible effects of improved security measures. At that time, an attacker used a compromised Zoom client to gain system access and trick a user into granting delegation permissions for a $13 million account, a situation that could have had catastrophic consequences. However, Venus had deployed the Hexagate security monitoring platform just a month prior.

The platform detected suspicious activity 18 hours before the attack and issued another alert immediately upon the malicious transaction. Within 20 minutes, Venus paused its protocol, halting any fund movement. This coordinated response showcased the evolution of DeFi security:

· Within 5 hours: Partial functionality restored after security checks

· Within 7 hours: Attacker's wallet forcefully liquidated

· Within 12 hours: Full stolen funds recovery and service restoration

Of particular note, Venus has passed a governance proposal that froze $3 million of assets still controlled by the attacker; the attacker not only failed to profit but also lost funds.

This event demonstrates tangible improvements in DeFi security infrastructure. The combination of proactive monitoring, rapid response capabilities, and decisive governance mechanisms has made the entire ecosystem more agile and resilient. While attacks still occur, the ability to detect, respond to, and even reverse attacks represents a fundamental shift from the early days of DeFi, where successful attacks often meant permanent loss.

Impact Beyond 2026

2025 data revealed a complex evolution of North Korea as the most significant threat actor in the cryptocurrency space. While the country reduced the frequency of its attacks, the level of destructiveness significantly increased, indicating a more sophisticated and patient approach. The impact of the Bybit incident on its annual activity pattern suggests that when North Korea successfully executes major thefts, it slows down its operations and focuses on money laundering.

For the cryptocurrency sector, this evolution necessitates enhanced vigilance regarding high-value targets and improved recognition of North Korea's specific money laundering patterns. Their continued preference for particular service types and transaction amounts provides opportunities for detection, distinguishing them from other criminals and assisting investigators in identifying their on-chain behavioral traits.

As North Korea continues to exploit cryptocurrency theft to fund national priorities and evade international sanctions, the cryptocurrency industry must recognize that North Korea's operational norms are vastly different from typical cybercriminals. North Korea's record performance in 2025 (despite a 74% decrease in known attacks) indicates that the current understanding may only scratch the surface of their activities. The challenge in 2026 is how to detect and prevent these actions before North Korea launches attacks on the scale of Bybit again.

Original Article Link