CertiK data shows North Korean groups stole $2.1B in 2025, 60% of all crypto theft. Cross-chain laundering is shifting the risk map for DeFi and exchange users.
New data from CertiK shows North Korean state-sponsored hacking groups stole $2.1 billion in crypto during 2025, accounting for 60% of all cryptocurrency theft losses. The concentration is unprecedented and shifts how traders need to view platform risk: theft is now a systematic, nation-state activity rather than a series of isolated breaches.
For anyone holding assets on bridges or protocols with large wrapped-asset pools, this is more than a security headline. It re-orders the risk map because funds are not just being taken; they are being laundered through the same infrastructure retail and institutional traders use daily.
The three numbers that anchor the CertiK analysis are:
The 60% share alone changes the conversation about where risk concentrates. State-backed attackers operate with budgets, intelligence tradecraft, and patience that opportunistic hackers cannot match. The CertiK report frames crypto crime no longer as a diffuse set of phishing and smart-contract exploits. One actor now accounts for the majority of the damage.
Traders who have priced bridge risk as a tail event need to recalculate. When a single, persistent adversary is responsible for 60% of total sector losses, the probability of a major bridge or exchange compromise is no longer remote.
The laundering method matters for liquidity. Attackers move stolen assets across multiple protocols, often using coin mixers and cross-chain bridges to break audit trails. The same bridge contracts that legitimate traders use for cross-chain arbitrage become unwitting money-laundering channels. This creates two immediate problems.
First, when a bridge is drained by an exploit, wrapped assets on one side of the bridge can lose their backing, triggering a de-peg and cascading liquidations across lending markets. The 2022 Ronin bridge compromise, tied to the Lazarus Group, showed how quickly a $600 million bridge drain can freeze user funds and crater the chain’s native token.
Second, bridges that process large volumes of illegitimate flow become regulatory targets. A bridge that cannot demonstrate anti-money-laundering controls risks having its smart contracts blacklisted by node operators or its front-end seized. Funds that look safe can become illiquid overnight.
Traders with positions that depend on a single cross-chain bridge need to consider whether the yield justifies the concentration risk. The CertiK data makes a measurable case that bridge exposure is now a core portfolio factor, not an operational footnote.
Stolen crypto eventually needs to be off-ramped. Centralized exchanges are the endpoint for a large share of laundered funds, according to blockchain analytics firms. Exchanges that handle high volumes of obfuscated flows face freezing orders, regulatory fines, or, in extreme cases, asset seizures. When an exchange has to halt withdrawals to comply with an investigation, customer funds become trapped, regardless of the individual’s trading activity.
For DeFi users, the risk is less direct but still material. If a major lending protocol relies on a bridge-wrapped asset that later loses its peg, the liquidation cascade can spread to unrelated pools. The CertiK figure puts a dollar amount on a threat that has been present for years; now the market must decide whether current bridge and protocol insurance layers are priced adequately.
The $2.1 billion tally is not the end of the story. It is the measurement that forces a reassessment of counter-party risk. The next test will likely arrive through a withdrawal freeze at a bridge or exchange, triggered by a suspicious outflow detected on chain. When that happens, the size of a trader’s exposure to a single bridge or wrapper contract will be the difference between a manageable pause and a forced liquidation.
The CertiK report turns a well-known risk into a quantified portfolio input. The only question left is whether position sizing already reflects it.
Drafted by the AlphaScala research model and grounded in primary market data – live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.