More than $3.4 billion was stolen from the cryptocurrency industry in 2025, according to a new report, with the majority of those losses tied to North Korean hackers. 

Blockchain security company Chainalysis published its annual report covering the year’s crypto theft, finding a general shift toward larger, costlier attacks and new tactics used by North Korean hackers to launder stolen funds.

While Chainalysis noted an increase in the number of private owners having their cryptocurrency stolen, one of the main takeaways from this year’s report is North Korea’s ability to focus its efforts on a smaller number of attacks with higher payouts. 

Andrew Fierman, head of national security intelligence at Chainalysis, told Recorded Future News they saw North Korean-linked operators “maintained a consistent laundering cycle using mixers, DeFi protocols, bridges, and no-KYC exchanges in addition to underground informal Chinese money laundering networks.”

Of the $3.4 billion in crypto stolen from January to December, Chainalysis attributed at least $2.02 billion to North Korean hackers. The figure is $681 million more than what the country’s hackers are estimated to have stolen in 2024.

Much of the figure is attributed to the $1.5 billion theft from Dubai-based platform Bybit in February, but two weeks ago South Korean officials also accused North Korea of stealing $30 million worth of cryptocurrency from crypto platform Upbit. 

Fierman declined to say what other incidents Chainalysis is tying to North Korea but said the country focused on large, centralized targets with significant reserves in 2025. 

The hackers typically were able to steal private keys — pivotal cryptographic secrets that grant a person full control over digital assets. 

Fierman tied the incidents to North Korea’s parallel IT worker campaign, where members of the country’s military surreptitiously get hired at Western tech companies. 

The IT worker campaign has been adept at getting North Koreans hired at crypto exchanges, custodians, and web3 firms, allowing them to steal information later used for attacks or place backdoors that enable lateral movement within the crypto industry.

“This year was defined by a small number of large private key compromises of centralized services, which materially shaped the totals. Social engineering continues to be the primary attack vector – whether by posing as IT workers or as recruiters to earn trust and gain access to victims’ systems,” Fierman explained. 

“However, North Korea continues to be creative in its approach to exploiting security vulnerabilities, as noted by the supply chain exploit via a third-party vendor in the ByBit hack.”

North Korea has used the IT worker campaign and the crypto thefts as a key revenue source to make up for being cut off from the global financial system. 

Chainalysis said this was the most severe year on record for North Korean crypto thefts because the country is responsible for 76% of all crypto service compromises based on value stolen. 

Since Chainalysis began tracking the figures in 2022, North Korea has stolen $6.75 billion in crypto. The United Nations said last year that it is tracking dozens of incidents over a five-year period that have netted North Korea about $3 billion.

North Korea also stood out in 2025 because they laundered the stolen funds in ways different from most cybercriminals. Pyongyang hackers typically launder funds in $500,000 chunks rather than the typical $1 million to $10 million range.

They also prefer to use Chinese language platforms that have weak compliance controls like Cambodian site Huione — which was sanctioned by U.S. officials this year. Chainalysis said last year that Huione has processed more than $49 billion in cryptocurrency transactions since 2021.

“Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests that DPRK threat actors are tightly integrated with illicit actors across the Asia-Pacific region, and is consistent with Pyongyang’s historical use of China-based networks to gain access to the international financial system,” Chainalysis experts said.