A new report from blockchain analytics firm Chainalysis has confirmed that North Korea remains the most significant threat to cryptocurrency security in 2025, despite a decrease in the number of confirmed hacking incidents. Hackers linked to the Democratic People's Republic of Korea (DPRK) are accused of stealing a staggering $2.02 billion in digital assets this year alone, marking a sharp 51% increase compared to their 2024 haul.
Record Haul with Fewer Incidents
This year's massive theft brings the lower-bound estimate of all cryptocurrency funds stolen by DPRK-affiliated actors to a colossal $6.75 billion. Intriguingly, the report highlights that North Korean operators are now achieving larger thefts with fewer individual incidents. They accounted for a record 76% of all service compromises in 2025. A prime example is the massive $1.5 billion Bybit hack in February 2025, which significantly contributed to the annual total.
The analysis also sheds light on the impact on individual users. While individual wallets were involved in around 158,000 reported incidents affecting 80,000 unique victims, the total value stolen from them decreased to $713 million in 2025. This suggests that improved personal security practices are making a difference, even as institutional targets face more sophisticated and high-value attacks.
Unique Infiltration and Social Engineering Tactics
According to Chainalysis, DPRK hackers have refined their methods to gain access to crypto services. One of their principal attack vectors is embedding IT workers inside target companies. By securing jobs at exchanges, custodians, and web3 firms, they gain privileged access to enable major compromises from within.
In a clever twist, these operatives are also impersonating recruiters for prominent web3 and AI firms. They orchestrate fake hiring processes that end with 'technical screens' designed to harvest login credentials, source code, and VPN access from their targets. At the executive level, a similar playbook involves bogus outreach from fake strategic investors or acquirers, using pitch meetings to probe for sensitive systems information.
Sophisticated Money Laundering Patterns
The laundering of stolen funds follows distinctive patterns that set DPRK operators apart. Following major thefts, they typically employ a 45-day laundering cycle. Despite stealing enormous sums, they break down the laundering into smaller transactions, with over 60% of the volume concentrated in transfers valued below $500,000.
The report notes clear preferences for specific services. DPRK hackers show a heavy reliance on Chinese-language money movement and guarantee services, with usage increases ranging from 355% to over 1000%. They also heavily depend on cross-chain bridge services (+97% difference) and mixing services (+100% difference) to move and obscure funds. Specialized services like Huione see strategic use, with a 356% increase in usage by these actors.
Key Takeaways for Cybersecurity
The Chainalysis report underscores several critical points for the cryptocurrency industry. The shift towards infiltration and sophisticated social engineering means that traditional perimeter security is no longer sufficient. Companies must enhance vetting for IT personnel and executives must be trained to recognize advanced impersonation tactics.
Furthermore, the structured, small-tranche laundering method reveals a high level of operational sophistication designed to evade detection. This necessitates more robust transaction monitoring systems that can identify coordinated laundering campaigns across multiple small transfers. While overall hack losses were suppressed in the 2024-2025 period, the escalating threat from state-sponsored actors like North Korea demands continuous evolution of security protocols across the crypto ecosystem.
