North Korea’s Crypto Thefts Hit $2.02 Billion in 2025, Solana Users Face Rising Risks

• North Korea’s crypto theft in 2025 reached $2.02 billion, surpassing previous records.

• Attack numbers declined, but individual hauls like the $1.5 billion Bybit breach drove the total higher.

• DPRK hackers focused on social engineering and internal access, stealing 30% of all illicit crypto funds this year per Chainalysis.

Discover how North Korea’s crypto theft in 2025 hit $2.02B amid fewer but bolder attacks. Chainalysis reveals DPRK’s strategic shift—learn key risks and defenses for crypto security today.

What is North Korea’s Crypto Theft Record in 2025?

North Korea’s crypto theft in 2025 set a new benchmark at $2.02 billion, as detailed in the Chainalysis 2025 Crypto Crime Report. This figure represents a dramatic increase from prior years, even as the number of incidents dropped significantly. The Democratic People’s Republic of Korea (DPRK) has refined its cyber operations to prioritize precision strikes over volume, targeting high-value assets in the cryptocurrency ecosystem. This evolution underscores the growing sophistication of state-sponsored threats in digital finance.

How Has DPRK’s Crypto Hacking Strategy Evolved?

Chainalysis reports that DPRK-linked groups executed fewer attacks in 2025 compared to 2024, yet their hauls were substantially larger due to a focus on deep infiltrations. Traditional exploits of code vulnerabilities have given way to social engineering tactics, such as impersonating executives and compromising contractors for internal system access. For instance, the $1.5 billion breach at Bybit exemplifies this trend, where attackers gained upstream control to drain funds efficiently. Data from Chainalysis indicates that these groups accounted for about 30% of all illicit crypto inflows in 2025, a rise from 20% the previous year. This strategic pivot not only maximizes returns but also complicates attribution and recovery efforts for affected platforms. Experts note that such methods exploit human elements, which remain a persistent weak point despite advancements in smart contract security.

North Korea set a new record for crypto theft in 2025, stealing $2.02 billion despite carrying out far fewer attacks than in previous years, according to new data from Chainalysis. The report indicates that the DPRK’s cyber strategy has shifted from high-frequency exploits to precision, high-value infiltrations—a change that signals an evolving threat to the global crypto ecosystem.

Fewer Attacks, But Bigger and More Strategic Heists

Chainalysis found that North Korea-linked groups now focus on deep, targeted intrusions rather than the broad exploit patterns seen in earlier cycles. DPRK hackers stole more money in 2025 than in any year on record, while the total number of incidents actually fell.

Source: Chainalysis

A major driver was the $1.5 billion Bybit breach, but the trend extends beyond any single event. The report highlights a shift toward infiltrating people and internal systems, not just codebases—including impersonating executives, compromising contractors, and gaining upstream access to drain funds. This shift marks a new phase of state-level crypto exploitation: fewer hacks, larger payoffs, and far more strategic targeting.

DPRK Relies on Fast-Moving Laundering Networks

The Chainalysis report also outlines how North Korea has refined its laundering operations. It identified a repeatable 45-day cycle used to clean stolen funds, involving rapid obfuscation through mixers, chain-hops through bridges, and eventual off-ramping via Chinese-language OTC brokers and instant exchangers. Use of these off-ramp channels by DPRK-linked groups has surged between 97% and 1,000%, depending on the network. This efficiency allows the DPRK to convert illicit gains into usable assets quickly, evading international sanctions and bolstering their economic strategies. Financial analysts emphasize that disrupting these networks requires enhanced global cooperation and advanced blockchain forensics.

Retail Users Face a Different Threat: Mass Wallet Drains

While institutional targets faced the largest losses, retail users experienced a rising wave of account takeover attacks. Chainalysis recorded 158,000 personal wallet hacks in 2025—three times higher than in 2022. Total value stolen from wallets dropped to $713 million, but Solana users took the largest hit, reflecting persistent exposure at the individual level even as DeFi platforms improve their security posture. These incidents often stem from phishing, malware, and weak authentication practices, underscoring the need for user education and multi-factor authentication adoption.

DeFi Is More Secure—But Institutions Are Now the Weak Point

The report notes that despite the rise in total value locked across DeFi, successful protocol-level exploits remained surprisingly low. Instead, attackers targeted the organizational layers surrounding these platforms: IT contractors, executives, customer support personnel, internal system administrators. The attacks became about people, not smart contracts. This evolution suggests traditional security models—which focus on code audits and protocol hardening—no longer address the most exploited vulnerabilities. Industry leaders recommend integrating comprehensive insider threat programs and regular social engineering training to mitigate these risks.

A New Phase of Global Crypto Security Risk

Chainalysis warns that DPRK’s cyber operations have reached a level of sophistication that demands a new security approach. With lifetime crypto thefts now at $6.75 billion, North Korea remains the single most dangerous state actor in the industry. The report’s findings highlight the urgency for platforms to bolster human-centric defenses, invest in AI-driven anomaly detection, and collaborate with regulatory bodies to track and freeze illicit funds. As the crypto market matures, addressing these state-sponsored threats will be crucial for sustainable growth.

Frequently Asked Questions

How Much Did North Korea Steal in Crypto in 2025?

According to Chainalysis, North Korea-linked hackers stole $2.02 billion in cryptocurrency in 2025, marking the highest annual total to date. This amount stems from a reduced number of highly targeted attacks, focusing on major exchanges and DeFi protocols for maximum impact.

What Are the Main Tactics Used in DPRK Crypto Thefts?

DPRK groups primarily employ social engineering, such as executive impersonation and contractor compromises, to access internal systems and drain funds. They also utilize advanced laundering techniques like mixers and cross-chain bridges, completing the process in about 45 days to obscure origins effectively.

Key Takeaways

• Record-Breaking Theft: North Korea’s $2.02 billion in crypto theft in 2025 shows a shift to fewer, more lucrative attacks.
• Targeted Infiltrations: Focus on human vulnerabilities like social engineering bypassed traditional code security measures.
• Enhanced Laundering: DPRK’s 45-day cleaning cycles via OTC brokers demand stronger blockchain monitoring tools.

Conclusion

In summary, North Korea’s crypto theft in 2025 of $2.02 billion, as reported by Chainalysis, illustrates a maturing DPRK strategy emphasizing precision over quantity in cyber operations. This trend, including sophisticated laundering and institutional targeting, elevates risks across the cryptocurrency landscape. As the industry advances, prioritizing holistic security frameworks will be essential to counter these evolving threats and foster a more resilient global ecosystem.