North Korean hackers stole a record $2 billion of crypto in 2025, Chainalysis says

• North Korean hackers stole at least $2 billion in 2025, up 51% from the year before, pushing their all-time haul to $6.75 billion.
• The hackers were behind 76% of service-level hacks, reflecting a shift toward fewer, larger breaches.
• Laundering patterns show heavy use of Chinese-language brokers, bridges and mixers, with a typical 45-day cash-out window.

North Korean hackers stole at least $2 billion in cryptocurrency this year, the most on record, pushing the Democratic People’s Republic of Korea's (DPRK) all-time haul to $6.75 billion, according to a new Chainalysis report.

The figure represents a 51% increase over 2024 from fewer confirmed incidents. The numbers underscore a shift toward fewer, dramatically larger attacks, underpinned by March's $1.4 billion hack of Bybit.

In contrast to other cybercriminals, North Korean groups overwhelmingly target large, centralized crypto services, aiming for maximum impact rather than frequency, the report said. DPRK-linked actors were responsible for 76% of all service-level compromises in 2025, the most ever recorded.

How they launder the cash also stands out. While other hackers tend to distribute stolen funds in large onchain transfers, DPRK actors consistently work with smaller tranches below $500,000, a sign of increasingly sophisticated operational security.

DPRK-linked wallets show a heavy reliance on Chinese-language guarantee services, brokers and over-the-counter networks, as well as extensive use of bridges and mixing services. They largely avoid the DeFi lending protocols, decentralized exchanges and peer-to-peer platforms favored by other criminals. These patterns suggest structural constraints and a dependence on specific regional facilitators rather than broad access to global financial infrastructure.

Earlier this year, CoinDesk reported on how North Korea is now using AI as a "superpower" in its hacking efforts.

"North Korea facilitates the laundering of their crypto heists with consistency and fluidity indicative of the use of AI," Andrew Fierman, head of national security intelligence at Chainalysis told CoinDesk.

"The mechanism by which the laundering is structured, and the scale at which it is done, creates a workflow that combines mixers, DeFi protocols, and bridges early on in the laundering process to convert funds across various crypto assets," he said. "To execute this type of efficacy in stealing such large volumes of crypto, North Korea needs a large laundering network, along with streamlined mechanisms to facilitate that laundering, which likely comes in the form of the use of AI."

Analysis of post-hack activity reveals that major North Korean thefts typically unfold over a roughly 45-day laundering window, moving through distinct phases from immediate obfuscation to final integration, Chainalysis said. While not universal, the consistency of this timeline across multiple years provides valuable intelligence for law enforcement and compliance teams seeking to intercept stolen funds before they are fully cashed out.

At the same time, the broader theft landscape is shifting. Personal wallet compromises accounted for 20% of total value stolen in 2025, dropping from 44% last year. While the number of incidents surged to 158,000, the dollar value taken from individual victims fell 52% to $713 million. The data suggest attackers are targeting more users but stealing less from each.

As the year winds to a close, North Korea's crypto hacking efforts show no sign of curtailing, the report's findings point to an increasingly polarized threat environment: mass, low-value thefts from individuals on one end, and rare but catastrophic service-level breaches on the other, with North Korea firmly at the center of the latter.

• As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
• GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
• Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.

• DAWN raised $13 million in a Series B led by Polychain Capital.
• The protocol enables individuals and organizations to own and monetize wireless broadband infrastructure.
• New funding will support U.S. growth and international rollouts.

Disclosure & Polices: CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of Bullish (NYSE:BLSH), an institutionally focused global digital asset platform that provides market infrastructure and information services. Bullish owns and invests in digital asset businesses and digital assets and CoinDesk employees, including journalists, may receive Bullish equity-based compensation.