CrowdStrike reports $2.02B stolen by North Korean hackers in 2025, a 51% jump. The Bybit and Safe Wallet hacks set the template. Thorchain itself lost $10M.
Global security firms are converging on a single warning: North Korean threat actors remain the most aggressive force in crypto crime. CrowdStrike’s latest report puts the number at $2.02 billion stolen in 2025, a 51% increase from 2024. The firm describes North Korean adversaries as the “most prevalent target intrusion threat” to financial services, with crypto as the primary focus.
CertiK, another security firm, estimated North Korea-linked crypto activity rose by 60% in 2025. The difference in methodology matters less than the direction: both firms see an escalation that is not slowing down.
CrowdStrike’s report details a playbook that relies on advanced social engineering and custom malware to breach targets. The attackers do not rely on a single vector. They probe exchanges, DeFi protocols, and individual wallets for weak points in custody, code, or human behavior.
In 2025, North Korean exploits were fewer in number but higher in value. The Bybit hack and the Safe Wallet compromise set the template: large, well-funded targets with deep liquidity pools. The attackers moved stolen funds through crypto mixers like Tornado Cash and Thorchain to obscure the trail.
CrowdStrike notes that the pattern is shifting toward high-value DeFi targets in 2026. The recent KelpDAO and Drift hacks fit that profile. If the attackers continue to focus on protocols with large total value locked (TVL), the next victim could be any top-20 DeFi project with a vulnerability in its smart contract or governance mechanism.
A new twist emerged when Thorchain, a cross-chain liquidity protocol often used for laundering, was itself compromised. Web3 security investigator ZachXBT reported that $10 million was lost in the incident.
Thorchain, like Tornado Cash, is a non-custodial mixer. Developers do not control the funds passing through. That design makes regulation difficult but also creates a single point of failure: if the mixer itself is hacked, the entire laundering chain breaks. For North Korean groups like the Lazarus Group, losing a trusted mixer means finding a new path to cash out stolen assets. That search creates friction but also opportunity for security firms to track new patterns.
The source text references the CLARITY Act, which recently passed committee in the US. The bill aims to give law enforcement more tools to police crypto while encouraging innovation. Its final form will determine how aggressively agencies can target mixers and other privacy tools used by North Korean hackers.
The primary assets at risk are crypto held on exchanges and liquidity in DeFi protocols. Second-order effects extend to stablecoin issuers (if stolen stablecoins are minted or redeemed), custodians, and audit firms that certify smart contracts. A large hack can trigger a broader sell-off in the affected token and erode confidence in the entire ecosystem.
CrowdStrike explicitly states that threat activity will persist in 2026. The combination of sanctions, military funding needs, and the proven ability to monetize crypto theft at scale means the risk is structural, not cyclical. Traders should expect at least one major headline per quarter involving a North Korean-linked exploit.
For a broader view of how crypto markets react to security events, see our crypto market analysis. The CLARITY Act article covers the regulatory landscape in more detail.
North Korean crypto theft is not a one-off event. It is a persistent, well-funded operation that adapts to security improvements. The $2 billion stolen in 2025 is a floor, not a ceiling.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.