Kim Jong-un’s North Korean hackers stole document $2 billion of crypto in 2025
New analysis found that North Korean hacking groups are the largest nation-threat to cryptocurrency, accounting for a record 76% of all service-level compromise, despite fewer incidents
North Korean hackers stole more than $2 billion (£1.5bn) in cryptocurrency in 2025, with the all time total at $6.75 billion (£5bn), new analysis shows.
Data from Chainalysis reveals that North Korea has had a 51% year on year increase in crypto thefts, despite fewer attacks overall. It comes as the cryptocurrency industry witnessed over $3.4 billion in theft throughout 2025.
Despite fewer confirmed incidents from North Korean-linked groups, the region continues to remain the ‘largest nation-state threat to cryptocurrency security.’
The report found that these hackers accounted for a record 76 per cent of all service-level compromise, excluding personal wallet hacks.
This points to a targeted shift toward fewer but significantly larger breaches, instead focusing on exchanges and custodians where crypto wallets are kept by a third party, rather than smaller decentralised finance (DeFi) platforms, whose security has improved.
One example from this year is the eye-watering $1.5 billion theft in February from UAE-based exchange Bybit. This was the largest crypto heist on record.
According to Chainalysis, much of North Korea’s success comes down to insider infiltration, which allows their operations to bypass conventional security measures.
The report said: “This year, North Korean hackers demonstrated a clear strategy: when they strike, they aim for maximum financial. Non–North Korean attackers, by contrast, showed a relatively even distribution across theft sizes.”
Chainalysis also found patterns in the way these hacking groups launder their money. The report added: “The massive influx of stolen funds in early 2025 provides unprecedented visibility into how DPRK-linked actors launder cryptocurrency at scale.
“Their patterns differ markedly from those of other cybercriminals and evolve over time, revealing current operational preferences and potential vulnerabilities.”
North Korean-backed groups preferred to launder money through Chinese-language services, as well as mixing different services used to obscure the trail of funds.
Following major theft events between 2022-2025, funds stolen by North Korea tend to follow a structured, multi-wave laundering pathway that unfolds over 45 days.
The report concluded: “As North Korea continues to use cryptocurrency theft to fund state priorities and circumvent international sanctions, the industry must recognize that this threat actor operates by different rules than typical cybercriminals.
“The country’s record-breaking 2025 performance — achieved with 74% fewer known attacks — suggests we may be seeing only the most visible portion of its activities.
The challenge for 2026 will be detecting and preventing these high-impact operations before DPRK-affiliated actors inflict another Bybit-scale incident.”
For the latest breaking news and stories from across the globe from the Daily Star, sign up for our newsletters.
