North Korea leads global crypto hacks with US$2 billion in 2025

North Korea–linked hacking groups have stolen more cryptocurrency than anyone else in 2025, siphoning off more than US$2 billion as their operations became fewer but more targeted and higher impact, according to new research.

North Korean hackers stole approximately US$2.02 billion worth of digital assets from January through early December, representing a 51 % increase from the same period a year earlier, according to a report released this week by global blockchain analytics firm Chainalysis.

The findings, part of Chainalysis’s annual overview of crypto crime, show global cryptocurrency theft reached about US$3.4 billion this year, with North Korean operations accounting for nearly 60 % of the total.

That pushed North Korea’s cumulative cryptocurrency theft to roughly US$6.75 billion, the report showed.

While the overall number of hacking incidents linked to North Korea fell 74 % from 2024, their impact grew sharply. North Korean groups accounted for a record 76 % of all service-level compromises, excluding personal wallet hacks, underscoring a shift toward fewer but significantly larger breaches.

Chainalysis said the divergence has become more pronounced over time. Non–North Korean attackers showed a relatively even distribution across theft sizes this year, while North Korean operations dominated the highest-value ranges.

“When North Korean hackers strike, they target large services and aim for maximum impact,” the report said.

Their tactics reflect a shift away from exploiting decentralised finance vulnerabilities toward centralised exchanges and custodians as DeFi security improves. The US$1.5 billion breach at Dubai-based exchange Bybit in February, the largest crypto heist on record, illustrates the scale of that approach.

The report pointed to insider infiltration as a key driver behind North Korea’s ability to execute such high-value thefts.

“North Korean threat actors are increasingly achieving these outsized results by embedding IT workers inside crypto services to gain privileged access and enable high-impact compromises,” Chainalysis said.

Chainalysis also highlighted the growing sophistication of North Korea’s laundering methods, with stolen funds increasingly split into smaller tranches. More than 60 % of the total volume seized was transferred on-chain in amounts below US$500,000 per transaction, compared with a majority of transfers by other actors concentrated above US$1 million.

The laundering patterns reflect structural constraints facing North Korean groups, including limited access to the global financial system and a reliance on multiple layers of external facilitators.

In recent years, North Korea’s laundering has typically unfolded in stages over roughly 45 days following a major theft, with funds initially moved quickly to distance them from their source before gradually entering the broader crypto ecosystem through exchanges, bridges and mixing services.

Throughout the process, North Korean actors relied heavily on Chinese-language money-laundering networks and showed a preference for tools that complicate tracing and obscure fund flows.

The report specifically cited Huione Group as a key facilitator. The US government this year identified the Cambodia-based firm as a critical node for laundering proceeds from North Korean cyber heists, estimated to be at least US$4 billion between 2021 and early 2025, and barred US financial institutions from doing business with Huione, either directly or indirectly.

The report also warned that North Korea’s infiltration methods are becoming more orchestrated and insidious, evolving beyond simple impersonation of IT employees.

Instead, attackers increasingly pose as recruiters at well-known Web3 and AI companies, running fake hiring processes to trick targets into handing over login details, internal code, or remote access to their employers’ systems. In other cases, they present themselves as potential investors, using staged pitches and meetings to quietly gather information about internal networks and possible points of entry.

Choi Ji-won

The Korea Herald

Asia News Network