North Korean state-linked hackers stole an estimated $2.02 billion in cryptocurrency in 2025, marking the largest single-year haul recorded by blockchain investigators and driven in large part by a February breach of the Bybit exchange, according to a Chainalysis report and corroborating industry coverage.[3][1]

What happened and how much was taken

Chainalysis reports that DPRK-affiliated groups stole $2.02 billion in 2025, a 51% increase compared with 2024, and pushed their cumulative total since tracking began to roughly $6.75 billion.[3] The dramatic increase in value stolen was concentrated in a small number of very large incidents: the February attack on Bybit alone accounted for roughly $1.4–$1.5 billion of the total, according to multiple industry sources and reporting citing forensic findings and law enforcement assessments.[4][1]

Shift in tactics: fewer incidents, bigger scores

The Chainalysis analysis shows the DPRK achieved this record haul with far fewer confirmed incidents than in prior years, indicating a tactical shift toward high-value targets and more sophisticated tradecraft.[3] Researchers note that North Korean actors increasingly target large centralized services and use techniques such as social engineering, impersonation of executives, and embedding hostile insiders to facilitate massive transfers—all methods that yield much larger returns per breach.[3][1]

Personal wallets and broader victim counts

While large exchange compromises dominated the total dollar value, the report also highlights a surge in attacks against individual wallets: Chainalysis found nearly 158,000 theft incidents in 2025 and about 80,000 unique victims, with personal wallet targeting accounting for roughly 44% of the value stolen—up from about 7.3% in 2022, reflecting broader consumer adoption of crypto and the attractiveness of easier-to-exploit personal accounts.[2][3]

Industry and government response

The scale of the Bybit loss and other large incidents has prompted intensified attention from exchanges, cybersecurity firms and law enforcement worldwide. U.S. and allied agencies have increasingly attributed major crypto heists to DPRK actors and are collaborating with private-sector blockchain investigators to trace and recover stolen funds when possible, according to reporting and public statements tied to the investigations.[4][6]

Why this matters

Investigators say the pattern of fewer but higher-value attacks raises new challenges for detection and prevention: a single successful compromise of an exchange or large custodian can yield billions, making those entities exponentially more attractive targets than in past years when attackers focused on smaller, opportunistic thefts.[3][1]

Broader numbers for 2025

Chainalysis estimates that a total of roughly $3.4 billion in cryptocurrency was stolen globally in 2025, with DPRK-affiliated operations responsible for the majority of the value taken, reinforcing the country’s position as the dominant nation-state-linked threat in the crypto theft landscape for the year.[3][5]

Expert assessments and open questions

Security researchers caution that publicly reported figures likely represent only the most visible portion of illicit activity: the large increase in value despite fewer known incidents suggests some operations are highly targeted and may remain covert until discovered.[1][3] Analysts also note that attribution—while increasingly supported by blockchain forensics and intelligence sharing—can be disputed publicly; however, multiple major U.S. agencies and independent firms have linked the Bybit breach and other large 2025 incidents to DPRK-affiliated actors.[4][6]

What exchanges and users can do

Chainalysis and other cybersecurity experts recommend robust operational security for exchanges and custodians, stronger identity and access controls, comprehensive insider-threat programs, and user education to reduce personal wallet risk—particularly as attackers pivot to high-value, low-frequency strikes that maximize returns.[3][2]