North Korean Hackers Stole $2.06B in Crypto in 2025

Blockchain security firm CertiK reported that North Korea-linked hackers drained $2.06 billion from cryptocurrency platforms in 2025, accounting for about 60% of global crypto theft losses that year.

CertiK’s Skynet analysis attributes $6.75 billion in cryptocurrency theft to DPRK-affiliated groups across 263 incidents since 2016. The report also estimates those groups were responsible for 55% of global crypto losses in 2026 through the report’s publication date.

The firm identifies social engineering as the primary method used to gain access to targets. Taylor Monahan, author of the CertiK analysis, wrote that social engineering is the ‘dominant attack vector’ and highlighted incidents where attackers posed as legitimate industry participants to infiltrate projects. In April 2026, the Solana-based exchange Drift Protocol reported an operation in which attackers spent six months building fake professional identities, meeting contributors at conferences and distributing malicious developer tools before executing a roughly $285 million drain.

Large single-event thefts drove much of the total. On February 21, 2025, attackers emptied $1.46 billion from the Bybit exchange in two transactions. Blockchain investigators say more than $1 billion of the Bybit funds were routed through cross-chain bridges and other mixing services. In one case, CertiK found that 86% of stolen funds were obscured within a month by moving assets through decentralized exchanges and cross-chain bridges.

Security firms describe the laundering apparatus as involving underground bankers, over-the-counter brokers, money transmitters and trade-based intermediaries. TRM Labs characterized the operation as ‘industrial-scale,’ combining cyber activity, intelligence support and illicit finance networks. Parts of the network have been referred to as the ‘Chinese Laundromat’ because of reliance on regional intermediaries.

U.S. authorities have taken legal steps. The Department of Justice filed a civil forfeiture complaint seeking $7.74 million tied to North Korean IT workers who allegedly laundered crypto while working abroad. Court filings show a wallet linked to a representative of North Korea’s Foreign Trade Bank received more than $24 million between August 2021 and March 2023.

To counter the threat, CertiK recommended that decentralized finance projects and crypto firms strengthen onboarding and operational defenses. The report suggested rigorous identity checks, including video interviews, zero-trust hiring practices for contributors and contractors, and technical hardening of cross-chain bridges and hot wallets. Security teams are developing new tools to trace cross-chain flows and identify laundering patterns more quickly.

CertiK concluded that DPRK-linked groups carry out sustained, systematic efforts to extract and launder digital assets from decentralized finance protocols.