North Korean-linked hacking groups stole at least $2.02 billion in cryptocurrency during 2025, marking the largest single-year total attributed to Pyongyang’s cybercriminal operations and pushing their estimated cumulative takings to approximately $6.75 billion, according to a Chainalysis analysis cited in multiple reports.[3]

What happened

Chainalysis’s 2025 review of crypto thefts found that Democratic People’s Republic of Korea (DPRK)–linked actors increased the value of funds they extracted by 51% year-over-year, even as the number of confirmed incidents fell. The firm reported that North Korean groups were responsible for $2.02 billion of cryptocurrency stolen in 2025, bringing their lifetime total to about $6.75 billion.[3]

How they did it

Chainalysis and subsequent industry reporting indicate that DPRK-affiliated groups have shifted tactics toward fewer, but much larger, operations—targeting centralized services and exploiting high-value opportunities rather than carrying out a high volume of smaller attacks.[3][2]

Industry analyses attribute part of 2025’s spike to one or more major breaches that delivered outsized returns for the attackers; reports specifically call out a large compromise of the Bybit exchange earlier in the year that accounted for an estimated $1.5 billion of the total attributed to DPRK-linked actors.[4]

Scope and trends

Chainalysis noted that DPRK-linked hacks represented a disproportionately large share of service compromises in 2025, with North Korea–linked actors responsible for roughly three-quarters of such incidents by value in some tallies, underscoring the nation’s outsized impact on the global crypto-theft landscape.[1][4]

Other data points from industry reporting show that overall crypto theft across all actors also surged in 2025, with some sources putting total stolen funds in the year at roughly $3.4 billion and documenting large increases in theft value even as confirmed incident counts fell.[6][3]

Laundering and operational sophistication

Security researchers and Chainalysis highlighted an improving DPRK capability to launder stolen proceeds, using more sophisticated chain-hopping, mixing services, exploitations of cross-chain bridges, and impersonation or insider-style tactics to move and obfuscate funds, making attribution and recovery more difficult for victims and law enforcement.[3][5]

Notable targets and victims

Reports list a mix of centralized exchanges, cross-chain bridges, decentralized finance (DeFi) protocols, and personal wallets among targets. The Bybit compromise was singled out by multiple outlets as a single incident with especially large financial impact on the DPRK total for 2025.[4][2]

Industry and governmental response

The scale and sophistication of DPRK-linked thefts has prompted calls from security firms, exchanges, and governments for enhanced defenses, improved on-chain monitoring, better custodial controls, and international cooperation to disrupt laundering networks and recover stolen assets.[3][5]

Chainalysis’s public release of the data and subsequent media reporting have also spurred renewed scrutiny of crypto platforms’ operational security and due diligence processes for both centralized services and cross-chain tools.[3]

Wider implications

Analysts warn the 2025 data illustrates a persistent strategic use of cyber-enabled financial crime by the DPRK to generate revenue, and that the pattern—fewer attacks that yield larger payouts—raises systemic risks for the industry because single breaches can produce catastrophic losses for platforms and their users.[2][3]

Expert commentary

Andrew Fierman, head of national security intelligence at Chainalysis, told media outlets that North Korea’s ability to launder proceeds continues to improve, amplifying the damage from successful intrusions and complicating recovery efforts.[5]

What remains uncertain

While industry reports converge on the $2.02 billion figure for DPRK-linked thefts in 2025 and on a roughly $6.75 billion cumulative total, exact attribution and final tallies can change as investigations continue and as new forensic information emerges; firms that track on-chain flows warn that reported figures are lower-bound estimates that may be revised as additional data is analyzed.[3][1]