CertiK, Chainalysis and Elliptic all say DPRK‑linked hackers stole about 60% of 2025’s $3.4B crypto theft, including an estimated $2.02B taken by North Korean groups.
North Korean state-linked hacking groups stole an estimated $2.02 billion in digital assets in 2025, accounting for roughly 60% of all crypto theft globally, according to blockchain security firms CertiK, Chainalysis, and Elliptic. The figure represents a 51% increase from 2024 and pushes the regime’s all-time haul to about $6.75 billion, even as the number of confirmed incidents fell. The concentration of theft in the hands of a single state actor is reshaping how exchanges, custodians, and regulators think about security, compliance, and the very architecture of on-chain risk.
Chainalysis’ 2026 Crypto Crime Report pegs total global crypto theft in 2025 at roughly $3.4 billion. North Korean operations accounted for “nearly 60%” of that figure, with at least $2.02 billion stolen. Elliptic’s separate analysis is broadly consistent, concluding that DPRK-linked groups had already stolen “over $2 billion” by early October, before a final wave of attacks pushed the annual total higher. CertiK’s estimate aligns, placing the DPRK share at roughly 60%.
The year-over-year increase in stolen value occurred alongside a decline in the number of confirmed hacks. Chainalysis notes that North Korea is “achieving larger thefts with fewer incidents.” The average heist size grew sharply, a direct consequence of attackers targeting larger centralized platforms and DeFi protocols with more sophisticated infiltration methods. The 51% jump from 2024 underscores that the DPRK’s operational capacity is scaling faster than industry defenses.
The February 2025 hack of exchange Bybit alone accounted for an estimated $1.46 billion to $1.5 billion, making it the largest crypto theft ever recorded. U.S. authorities quickly attributed the attack to North Korean actors. The Bybit breach was not an isolated event. Other 2025 attacks linked to DPRK groups include compromises of LND.fi, WOO X, and Seedify, along with dozens of smaller service breaches and wallet-draining campaigns. In aggregate, researchers say North Korean hackers were responsible for somewhere between 60% and “more than half” of all crypto stolen from centralized services and DeFi protocols last year, depending on how the sample of tracked incidents is defined.
The Bybit hack crystallized a tactical evolution. DPRK groups are no longer spreading their efforts across many small targets. They are concentrating on a handful of high-value platforms where a single breach can yield billions. This shift changes the risk calculus for exchanges and protocols: the cost of a single security failure is now existential.
The Bybit hack sent shockwaves through the market. Bitcoin (BTC) and Ethereum (ETH) prices dipped briefly as uncertainty spread, though the exchange’s quick assurance of solvency prevented a broader panic. The incident highlighted an uncomfortable truth: even exchanges with deep liquidity and strong reputations can be compromised by a state actor with patience and resources. For traders, the lesson is that exchange risk is not binary – it is a spectrum, and the DPRK threat pushes every platform further toward the red end.
The operational pattern has changed in a way that renders many traditional security assumptions obsolete. Instead of relying primarily on “spray and pray” phishing or brute-force smart-contract exploits, DPRK actors increasingly embed IT workers inside exchanges, custodians, and Web3 companies to gain privileged access from the inside. Chainalysis and Elliptic both document this shift, noting that the insider vector allows attackers to bypass external defenses and move laterally once inside a network.
These workers often present as remote contractors or freelance developers, sometimes using stolen or synthetic identities. Once hired, they can spend months building trust and access before executing a theft. The method turns the hiring process itself into a security vulnerability. For exchanges and protocols, the implication is stark: vetting employees and contractors for potential state ties is no longer a theoretical exercise. It is a direct counterparty risk.
Key insight: The shift to insider infiltration means traditional perimeter security is no longer enough – exchanges must now vet their own employees as potential state actors.
Chainalysis reports that more than 60% of funds stolen in 2025 were laundered in tranches below $500,000 per transaction. This is a deliberate departure from the million-dollar-plus lumps that used to define nation-state laundering. Smaller, more frequent transfers are harder for automated monitoring systems to flag, especially when mixed with legitimate exchange flows or routed through nested services and DeFi bridges.
This laundering pattern forces compliance teams to rethink thresholds. A single $10 million alert is easy to spot. Ten thousand $500 alerts are not. The operational burden on exchanges and on-chain analytics firms rises exponentially when the adversary deliberately stays below conventional tripwires.
The United Nations and multiple government agencies assess that the proceeds from these hacks are used to finance North Korea’s nuclear weapons and ballistic missile programs. Some estimates suggest the 2025 take alone could amount to roughly 13% of the country’s GDP. That reality is why CertiK and other security firms frame the threat as systemic and “nation-state level,” not just another wave of opportunistic DeFi hacks.
If the $2.02 billion figure is accurate, it represents a material slice of a sanctioned economy. Crypto theft has become a primary revenue stream for the regime, alongside traditional illicit activities. The scale changes the calculus for policymakers. Sanctions enforcement, which has historically focused on trade and finance, now must contend with a digital asset flow that is both harder to trace and directly convertible into hard currency through over-the-counter desks and non-compliant exchanges.
The 2025 theft data exposes a widening gap between the sophistication of state-sponsored attackers and the compliance frameworks meant to stop them. Existing KYC/AML rules were designed for a world where the primary threat was retail fraud and money laundering by criminal networks. They were not built to counter a hostile state that can deploy insider agents, exploit cross-chain infrastructure, and launder billions in sub-threshold tranches.
Regulators are now looking harder at where hacks are happening, how quickly stolen assets are being frozen, and whether current frameworks are anywhere near fit for purpose. CertiK and other security firms argue that more sophisticated on-chain compliance tooling, address screening, and behavioral analytics are becoming non-negotiable for exchanges, protocols, and even wallet providers. The question is whether regulation will drive adoption of these tools or whether the industry will be forced to act after the next catastrophic breach.
Risk to watch: Regulators may impose stricter KYC/AML rules on exchanges. If they are slow to act, the next Bybit-sized hack could trigger a market-wide liquidity crisis.
The DPRK theft problem is not static. Several factors could either curb the trend or accelerate it, and each has direct implications for anyone allocating capital to crypto platforms or tokens.
The practical takeaway for traders and platform operators is that the risk is concentrated, adaptive, and state-backed. A single breach can move markets, freeze withdrawals, and trigger cascading liquidations. The Bybit hack demonstrated that even well-capitalized exchanges are vulnerable. The next attack may come through a trusted employee, not a smart-contract bug. Compliance teams that treat DPRK risk as a niche concern are already behind.
For traders navigating this environment, the security posture of an exchange or protocol is no longer a background detail. It is a direct input into counterparty risk. Platforms that cannot demonstrate robust insider threat detection, real-time on-chain monitoring, and rapid freeze coordination are carrying a liability that can materialize overnight. The crypto market analysis page tracks these developments as they unfold. Choosing a broker with strong security infrastructure is a first-order decision; our best crypto brokers list evaluates platforms on these criteria.
Drafted by the AlphaScala research model and grounded in primary market data – live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.