Crypto Reporter
Shalini Nagarajan
Crypto Reporter
Share
North Korea-linked hackers just posted their biggest crypto theft year on record, turning 2025 into a warning that a handful of state-backed strikes can still overwhelm even well-funded defences.
Chainalysis said in its Crypto Crime Report published Thursday that the industry lost more than $3.4B to theft from January through early Dec. 2025, with a single March compromise of Bybit accounting for $1.5b.
Within that total, the Democratic People’s Republic of Korea (DPRK) remained the dominant threat actor by value. Chainalysis put DPRK-linked theft at at least $2.02B in 2025, up 51% year-on-year, and said those attacks accounted for a record 76% of all service compromises.
The lower-bound cumulative estimate for DPRK crypto theft now stands at $6.75B.
Image Source: Chainalysis
This jump came even as investigators assessed fewer confirmed incidents, a sign that a small number of hits now do more damage than a long list of smaller breaches.
Embedded IT Workers Enable High-Impact Breaches
Chainalysis said the top three hacks in 2025 made up 69% of all service losses, and the largest incident crossed 1,000 times the median theft for the first time.
One driver is access. Chainalysis said DPRK-linked actors increasingly embed IT workers inside crypto services to gain privileged access, then use that foothold to enable high-impact compromises across exchanges, custodians and Web3 firms.
The report also framed private key compromises as a recurring fault line for centralized platforms, where rare failures still dominate the loss tally when they happen.
Chainalysis said private key compromises drove 88% of losses in the first quarter of 2025, even at firms with institutional resources and professional security teams.
At the same time, the personal-wallet problem grew wider, even as the average hit got smaller.
South Korean Probe Links Solana Wallet Breach To DPRK Actors
South Korean officials and several cybersecurity firms believe the Nov. 2025 breach of Upbit’s Solana hot wallet was carried out by Lazarus, North Korea’s state-backed hacking group, in an attack that siphoned roughly 44.5 billion won, or about $30 to $36 million, in Solana-based tokens.
Chainalysis estimated theft incidents surged to 158,000 in 2025 with at least 80,000 victims, and said the total stolen from individuals fell to $713 million, suggesting attackers targeted more users for less per victim.
When DPRK-linked funds move, they often move with discipline. Chainalysis described a structured, multi-wave laundering pathway that typically unfolds over roughly 45 days after major hacks, starting with rapid layering, then integration through selected venues, and finishing with conversion-focused touchpoints.
It also flagged distinctive operational choices, including heavy use of Chinese-language money movement and guarantee services, plus strong reliance on bridges and mixing services, while showing less interest in lending protocols and P2P venues than other stolen-fund actors.
Even the on-chain “shape” looks different. Chainalysis said DPRK laundering concentrates slightly over 60% of volume below $500,000 per transfer, while other actors more often send funds in $1M to $10M plus tranches, a pattern it framed as a sign of sophisticated structuring.
https://cryptonews.com/news/north-korea-linked-crypto-thefts-top-2b-2025/
