North Korean Hackers Have a "Fat Year": 2025 Theft Reaches Record Highs, Money Laundering Cycle Around 45 Days

Author: Chainalysis

Compiled by: Felix, PANews

In response to years of North Korean hackers’ attacks on the crypto industry, Chainalysis focused on analyzing North Korean hacking tactics in the 2025 Hacking Attack Report. Below are the details.

Key Points:

• North Korean hackers stole $2.02 billion worth of cryptocurrencies in 2025, a 51% increase year-over-year. Despite fewer attacks, their total stolen amount has reached $6.75 billion.
• North Korean hackers have stolen more cryptocurrencies with fewer attacks, often by inserting IT personnel into crypto services or using complex impersonation strategies targeting executives.
• North Korean hackers clearly favor Chinese money laundering services, cross-chain bridge services, and mixing protocols. After major thefts, their money laundering cycle averages about 45 days.
• In 2025, incidents of personal wallet theft surged to 158,000, affecting 80,000 users, though the total stolen value ($713 million) decreased compared to 2024.
• Despite an increase in total DeFi TVL, hacking losses from 2024 to 2025 remain at a relatively low level, indicating that security improvements are having a significant effect.

In 2025, the crypto ecosystem faces renewed severe challenges, with stolen funds continuing to rise. Analysis shows four key features of crypto theft patterns: North Korean hackers remain the primary threat; targeted attacks on centralized services are intensifying; personal wallet thefts are surging; and DeFi hacking trends are diverging unexpectedly.

Overall Situation: In 2025, the stolen amount exceeded $3.4 billion

From January to early December 2025, the crypto industry experienced thefts exceeding $3.4 billion, with the attack on Bybit in February alone accounting for $1.5 billion.

Data also reveal significant changes in these theft events. Personal wallet thefts increased sharply, rising from 7.3% of total stolen value in 2022 to 44% in 2024. If not for the massive attack on Bybit, this ratio in 2025 might have reached 37%.

Meanwhile, centralized services are suffering increasing losses due to sophisticated attacks targeting private key infrastructure and signing processes. Although these platforms have institutional resources and professional security teams, they remain vulnerable to threats capable of bypassing cold wallet controls. While such intrusions are infrequent (as shown below), when they occur, they result in huge amounts of stolen funds. In Q1 2025, such events accounted for 88% of total losses. Many attackers have developed methods to exploit third-party wallet integrations and trick signers into authorizing malicious transactions.

Although crypto security has improved in some areas, the high amount of stolen funds indicates that attackers still succeed through various means.

The top three hacking attacks account for 69% of total losses, with extreme cases reaching 1000 times the median

Historically, theft events are driven by extreme incidents. Most hacking attacks are relatively small, but a few are massive. However, 2025 saw a deterioration: the ratio of the largest attack to the median of all events broke the 1000x threshold for the first time. Now, the largest attack involved stolen funds 1000 times greater than typical events, even surpassing the peak of the 2021 bull market. These calculations are based on the USD value of stolen funds at the time of theft.

This widening gap causes losses to be highly concentrated. The top three hacking attacks in 2025 account for 69% of all losses, with individual events having an outsized impact on annual total losses. Although attack frequency may fluctuate and median losses increase with rising asset prices, the potential losses from major vulnerabilities are rising at an even faster pace.

Despite a decrease in confirmed attack events, North Korea remains the main threat

Although attack frequency has significantly declined, North Korea remains the most serious threat to crypto security. In 2025, their stolen crypto funds hit a new high, at least $2.02 billion (up $681 million from 2024), a 51% increase year-over-year. In terms of stolen amount, 2025 is the most severe year on record for North Korean crypto thefts, with attacks accounting for 76% of all intrusion incidents, a new high. Overall, the total estimated amount stolen by North Korea has reached at least $6.75 billion.

North Korean hackers are increasingly inserting IT personnel (one of their main attack methods) into crypto services to gain privileged access and carry out major attacks. The record number of attacks this year may partly reflect North Korea’s greater reliance on infiltrating exchanges, custodians, and Web3 companies, which can accelerate initial access and lateral movement, creating conditions for large-scale theft.

However, recent hacker groups linked to North Korea have completely overturned this IT worker model. They no longer just apply for jobs and infiltrate as employees; instead, they increasingly impersonate recruiters from well-known Web3 and AI companies, meticulously planning fake recruitment processes. Under the guise of “technical screening,” they obtain victims’ login credentials, source code, and VPN or SSO access to their current employers. At the executive level, similar social engineering tactics involve fake strategic investors or acquirers, using pitch meetings and pseudo-due diligence to probe sensitive system information and high-value infrastructure. This evolution directly builds on North Korea’s IT worker fraud activities and focuses on strategically important AI and blockchain companies.

As seen in recent years, North Korea’s ongoing cyberattacks are far more valuable than those of other hackers. As shown below, from 2022 to 2025, North Korean attacks dominate the highest-value segments, whereas non-North Korean attacks are more evenly distributed across all theft sizes. This pattern further indicates that North Korean hackers target large services to maximize impact.

The record losses this year are driven by a significant reduction in known events. This shift (fewer events but larger losses) reflects the impact of the large-scale Bybit attack in February 2025.

North Korea’s Unique Money Laundering Patterns

The influx of stolen funds early in 2025 reveals how North Korean hackers conduct large-scale crypto laundering. Their methods are markedly different from other cybercriminals and have evolved over time.

North Korea’s money laundering exhibits a clear “tiered” pattern, with over 60% of transaction volume concentrated in amounts below $500,000. In contrast, more than 60% of on-chain transferred funds by other hackers are in the range of $1 million to over $10 million, transferred in batches. Although North Korea’s laundering amounts are higher per transaction, they break down transfers into smaller batches, highlighting the complexity of their laundering techniques.

Compared to other hackers, North Korea shows distinct preferences in certain laundering steps:

• Chinese fund transfer and escrow services (+355% to over 1000%): This is the most prominent feature, heavily relying on Chinese escrow services and a network of laundering operators with potentially weaker compliance controls.
• Cross-chain bridge services (+97%): Highly dependent on cross-chain bridges to transfer assets across different blockchains, attempting to increase traceability difficulty.
• Mixing services (+100%): More frequently using mixing services to obscure fund flows.
• Specialized services like Huione (+356%): Strategically employing specific services to assist laundering activities.

Other hackers involved in laundering tend to prefer:

• Lending protocols (-80%): North Korea avoids using these DeFi services, indicating limited integration with the broader DeFi ecosystem.
• No-KYC exchanges (-75%): Surprisingly, other hackers use no-KYC exchanges more than North Korea.
• P2P exchanges (-64%): North Korea shows limited interest in P2P platforms.
• CEX (-25%): Other hackers interact more directly with traditional exchanges.
• DEX (-42%): Other hackers prefer DEXs for their high liquidity and anonymity.

These patterns suggest that North Korea’s operations are influenced by different constraints and objectives compared to non-state-sponsored cybercriminals. They heavily utilize professional Chinese laundering services and OTC traders, indicating close ties with illicit actors in the Asia-Pacific region.

Timeline of North Korean Hacker Money Laundering Post-Attack

Analysis of on-chain activity following North Korean attributed hacker events from 2022 to 2025 shows consistent patterns in the flow of stolen funds within the crypto ecosystem. After major thefts, stolen funds follow a structured, multi-stage money laundering process lasting approximately 45 days:

Stage 1: Immediate Layering (Days 0-5)

In the initial days after the attack, a flurry of activity is observed, focusing on quickly moving funds away from the source:

• The flow of stolen funds through DeFi protocols increases by +370%, becoming the primary entry point.
• Mixing service transactions surge by +135-150%, forming the first layer of obfuscation.
• This stage represents an urgent “first step” to distance the funds from the initial theft.

Stage 2: Preliminary Integration (Days 6-10)

In the second week, laundering strategies shift toward services that help integrate funds into broader ecosystems:

• Exchanges with fewer KYC restrictions (+37%) and CEXs (+32%) begin receiving funds.
• Second-layer mixing services (+76%) continue laundering at a lower intensity.
• Cross-chain bridges (e.g., XMRt, +141%) help disperse and obscure fund flows across blockchains.
• This is a critical transition phase, with funds moving toward potential exit points.

Stage 3: Long-tail Integration (Days 20-45)

The final stage favors services capable of converting funds into fiat or other assets:

• No-KYC exchanges (+82%) and escrow services (e.g., Potato Single Treasure, +87%) see significant growth.
• Instant exchanges (+61%) and Chinese platforms (e.g., HuiWang, +45%) become final conversion points.
• CEXs (+50%) also receive funds, indicating attempts to blend illicit and legitimate funds.
• Platforms in jurisdictions with less regulation, such as Chinese laundering networks (+33%) and Grinex (+39%), complete this pattern.

This typical 45-day laundering window provides critical intelligence for law enforcement and compliance teams. The persistence of this pattern over multiple years suggests that North Korean hackers face operational constraints, possibly related to limited access to financial infrastructure and the need to coordinate with intermediaries.

While these hackers do not always follow this exact timeline—some stolen funds may remain dormant for months or years—this pattern represents their typical on-chain behavior during active laundering. It’s also important to recognize potential blind spots in this analysis, as certain activities (e.g., private key transfers or OTC crypto-to-fiat exchanges) are not visible on-chain without corroborating intelligence.

Personal Wallet Theft: Growing Threat to Individual Users

Analysis of on-chain patterns, victim reports, and industry partners’ insights reveal the severity of personal wallet thefts, though actual incidents may be much higher. An estimated minimum of 20% of total losses in 2025 stem from personal wallet thefts, down from 44% in 2024, indicating changes in scale and pattern. The total number of theft events in 2025 soared to 158,000, nearly three times the 54,000 recorded in 2022. The number of victims increased from 40,000 in 2022 to at least 80,000 in 2025. These significant increases are likely driven by broader crypto adoption. For example, Solana, one of the blockchains with the most active individual wallets, leads in theft incidents, with approximately 26,500 victims.

However, despite the increase in incidents and victims, the total USD amount stolen per victim decreased from a peak of $1.5 billion in 2024 to $713 million in 2025. This suggests that attackers target more users, but the amount stolen from each victim is smaller.

Victim data across networks provide further insights into which areas pose the greatest threats to crypto users. The chart below shows victim data adjusted for active individual wallets per network, measured by crime rate per 100,000 wallets in 2025. Ethereum and TRON have the highest theft rates. Ethereum’s large user base indicates high theft and victim counts, while TRON’s ranking shows that despite fewer active wallets, its theft rate remains high. In contrast, networks like Base and Solana, with large user bases, have lower victimization rates.

This indicates that the security risk for individual wallets in the crypto ecosystem is not uniform. Even with similar technical architectures, victimization rates vary across blockchains, suggesting that factors beyond technology—such as user demographics, popular applications, and criminal infrastructure—play significant roles in theft likelihood.

DeFi Hacker Attacks: Diverging Patterns Signal Market Shifts

DeFi sector data in 2025 reveal a distinct pattern, diverging sharply from historical trends.

The data show three clear phases:

• Phase 1 (2020-2021): DeFi TVL and hacker attack losses grow in tandem
• Phase 2 (2022-2023): Both metrics decline together
• Phase 3 (2024-2025): TVL rebounds, while attack losses remain stable

The first two phases follow an intuitive pattern: higher risk value means more to steal, leading hackers to target high-value protocols more aggressively. As Willie Sutton famously said, “Because that’s where the money is.”

This makes the divergence in the third phase even more notable. While DeFi TVL has significantly recovered from its 2023 lows, losses from hacking attacks have not increased correspondingly. Despite billions flowing back into these protocols, DeFi hacking incidents remain at a relatively low level, marking a significant shift.

Two factors may explain this divergence:

• Improved security: Despite rising TVL, attack rates continue to decline, suggesting DeFi protocols are implementing more effective security measures than during 2020-2021.
• Target shift: The simultaneous increase in personal wallet thefts and centralized service attacks indicates that attackers may be shifting focus elsewhere.

Case Study: Security Response of Venus Protocol

The Venus protocol incident in September 2025 demonstrates that enhanced security measures are making a real difference. Attackers exploited a compromised Zoom client to gain system access and tricked a user into granting delegation rights to an account worth $13 million, which could have been catastrophic. However, Venus had just activated Hexagate’s security monitoring platform a month earlier.

The platform detected suspicious activity 18 hours before the attack and issued an alert immediately after the malicious transaction occurred. Within 20 minutes, Venus paused its protocol, preventing any fund movement. This coordinated response exemplifies the evolution of DeFi security:

• Within 5 hours: Completed security checks and partially restored functions
• Within 7 hours: Forced liquidation of the attacker’s wallet
• Within 12 hours: Recovered all stolen funds and resumed service

Most notably, Venus passed a governance proposal to freeze $3 million of assets still controlled by the attacker; the attacker not only failed to profit but also lost funds.

This incident indicates significant improvements in DeFi security infrastructure. Proactive monitoring, rapid response capabilities, and decisive governance actions make the ecosystem more agile and resilient. Although attacks still occur, the ability to detect, respond to, and even reverse attacks marks a fundamental shift from the early DeFi era, where successful attacks often meant permanent loss.

Implications for 2026 and Beyond

The 2025 data reveal a complex evolution of North Korea as the crypto industry’s greatest threat. While attack frequency has decreased, destructive capacity has increased substantially, indicating more sophisticated and patient tactics. The impact of the February Bybit attack suggests that when North Korea successfully executes major thefts, it reduces operational tempo and focuses on laundering.

For the crypto industry, this evolution underscores the need to remain vigilant against high-value targets and improve detection of North Korea’s specific money laundering patterns. Their continued preference for certain service types and transfer amounts offers opportunities for detection, distinguishing them from other criminals and aiding investigators in identifying on-chain behaviors.

As North Korea continues to use crypto theft to fund national priorities and evade international sanctions, the crypto industry must recognize that North Korea’s modus operandi differs markedly from typical cybercriminals. Their record-breaking performance in 2025 (with a 74% reduction in known attacks) suggests that what is visible may only be the tip of the iceberg. The challenge for 2026 is to detect and prevent similar large-scale attacks like the one on Bybit before they happen again.

Related: Surge in Crypto Security Losses: Attacks Decrease, but Damage Significantly Increases