North Korea tied to record crypto theft totals in twenty twenty five

According to a 2026 Crypto Crime Report by blockchain analytics firm Chainalysis, DPRK-linked hackers were behind at least $2.02 billion of the value stolen, representing a 51 % increase year-on-year and accounting for roughly 76 % of all major service compromises in 2025.

The largest single exploit contributing to the record haul was a February 2025 hack of the Bybit exchange, where attackers siphoned off around $1.5 billion in digital assets, a level of loss that surpassed previous historic breaches and underscored attackers’ focus on high-impact targets.

Chainalysis data shows that while the number of individual hacking incidents declined, the average size of each successful theft grew sharply, as DPRK-linked groups shifted strategies toward fewer but more lucrative operations. This pattern helped drive the disproportionate contribution of North Korea-attributed thefts to the global total.

In addition to centralized exchange breaches, personal wallet compromises also remained significant in the annual tally. Analysts observed a continued rise in smaller-scale attacks on individual holders, though the cumulative value from those incidents was lower than in some previous years when large institutional hacks did not dominate the statistics.

Chainalysis said DPRK-linked actors increasingly exploited insider access tactics, including placing operatives in IT roles at crypto exchanges, custodians and Web3 firms through deception, as well as using fake recruiter schemes and impersonation to harvest sensitive credentials and system access ahead of larger incursions.

The profile of laundering behavior for stolen assets by these groups also showed specific patterns: perpetrators moved funds in smaller on-chain tranches, often below $500,000 per transaction, while relying on mixers, cross-chain bridges and Chinese-language laundering services to obscure the provenance of illicit holdings.

Earlier estimates suggest that the cumulative total stolen by North Korean crypto hackers since tracking began has now reached at least $6.75 billion, emphasizing the persistent scale of such operations over multiple years.

Security professionals and national security analysts have highlighted that these thefts, widely attributed to groups such as the Lazarus Group – a North Korea-linked advanced persistent threat organization – form part of the DPRK’s broader strategy to generate revenue in the face of international sanctions.

North Korea’s engagement in cybercrime, particularly in cryptocurrency theft, has been documented over the past decade, with notable incidents including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware outbreak and several major crypto exploits attributed to Lazarus and affiliated units. Crypto theft by these actors has become a major source of revenue for the DPRK regime.