North Korean hackers' "Fat Year": 2025 theft funds hit a record high

2025 was undoubtedly a bumper year for North Korean hacker groups. According to the 2025 Hacker Attack Report released by Chainalysis, despite a significant reduction in the number of attacks launched by North Korean hackers, the amount of stolen funds hit a record high. This seemingly contradictory phenomenon reflects the increasing sophistication of these state-level cybercrime groups’ methods.

Behind the Bumper Year: Fewer Attacks but Increased Fund Theft

The entire crypto ecosystem faced severe challenges in 2025. Statistics show that over $3.4 billion was stolen throughout the year, with a major hack on Bybit in February alone causing $1.5 billion in losses.

North Korean hackers performed especially well during this “fat year.” In 2025, they stole cryptocurrencies worth up to $2.02 billion, a 51% increase from $1.339 billion in 2024. More alarmingly, this set a record for the most severe year of North Korean crypto thefts, with total stolen funds reaching $6.75 billion.

What makes the data even more startling is that attacks initiated by North Korea accounted for 76% of all intrusion incidents, hitting a new high. Although confirmed attack events decreased by 74%, the amount stolen increased sharply. This indicates that North Korean hackers are operating more efficiently—reducing attack frequency but focusing their efforts on higher-value targets.

Unique Money Laundering Networks: Characteristics of North Korean Hacker Operations

The reason North Korean hackers achieved such a “bumper year” is closely tied to their unique money laundering patterns and operational networks. Their laundering activities differ markedly from other cybercriminals.

“Partitioned” Money Laundering Characteristics

North Korean hackers’ money laundering exhibits a clear “partitioned” pattern, with over 60% of transaction volume concentrated in amounts below $500,000. This is entirely different from other hackers’ operational logic—more than 60% of funds transferred on their chains are split into batches within the $1 million to $10 million range.

Distinct Preferences for Specific Services

Compared to other hackers, North Korean groups show pronounced preferences in their laundering processes:

• Chinese fund transfers and escrow services (+355% to over 1000%): This is the most prominent feature. North Korean hackers heavily rely on Chinese escrow services and a network of laundering operators with weaker compliance controls. This preference is far stronger than that of other criminals.

• Cross-chain bridge services (+97%): They heavily depend on cross-chain bridges to transfer assets across different blockchains, increasing traceability difficulty.

• Mixing services (+100%): They increasingly use coin mixers to obscure fund flow traces.

• Professional services (+356%): Strategically employing services like Huione to assist laundering activities.

In contrast, North Korean hackers clearly avoid other common laundering channels used by other cybercriminals: lending protocols (-80%), non-KYC exchanges (-75%), P2P exchanges (-64%), CEXs (-25%), and DEXs (-42%).

45-Day Fund Circulation: Multi-Stage Money Laundering Cycle Unveiled

The influx of large stolen funds in early 2025 provided law enforcement agencies with valuable intelligence. Through on-chain activity analysis, researchers found that North Korean hackers follow a structured, multi-stage laundering pathway, typically lasting about 45 days.

Stage 1: Immediate Layering (Days 0-5)

In the initial days after an attack, we observe a series of abnormal activities:

• The flow of stolen funds from DeFi protocols increased the most (+370%), becoming the primary entry point.
• Mixing service transactions surged (+135-150%), forming the first layer of obfuscation.
• This stage represents an urgent “first step” to distinguish the laundering from the initial theft.

Stage 2: Preliminary Integration (Days 6-10)

By the second week, laundering strategies shift toward services that help inject funds into broader ecosystems:

• Exchanges with fewer KYC restrictions (+37%) and CEXs (+32%) begin receiving fund flows.
• Second-layer mixing services (+76%) continue laundering at a lower intensity.
• Cross-chain bridges (e.g., XMRt, +141%) facilitate dispersal and concealment of funds across blockchains.
• This is a critical transition period, with funds starting to flow toward potential exit points.

Stage 3: Long-Tail Integration (Days 20-45)

The final stage clearly favors services capable of ultimately converting funds into fiat or other assets:

• Non-KYC exchanges (+82%) and escrow services (e.g., potato escrow, +87%) see significant increases.
• Instant exchanges (+61%) and Chinese platforms (e.g., HuiWang, +45%) become the final conversion points.
• CEXs (+50%) also receive funds, indicating complex attempts to blend illicit and legitimate funds.
• Jurisdictions with less regulation, such as Chinese laundering networks (+33%) and platforms like Grinex (+39%), complete this pattern.

This roughly 45-day laundering window provides critical intelligence for law enforcement and compliance teams. The consistency of this pattern over many years suggests operational constraints faced by North Korean hackers—possibly due to limited access to financial infrastructure and the need to coordinate with specific intermediaries.

Ongoing Threats to Individual Users

Amid the “bumper year” harvest, another concerning trend is the surge in attacks on individual wallets.

Growing Scale of Theft Incidents

In 2025, the total number of personal wallet thefts soared to 158,000, nearly three times the 54,000 recorded in 2022. Victim numbers increased from 40,000 in 2022 to at least 80,000 in 2025. This significant growth is likely driven by broader adoption of cryptocurrencies. For example, Solana, one of the blockchains with the most active personal wallets, led the theft count with approximately 26,500 victims.

Decreased Theft Amount per Victim

Despite the increase in incidents and victims, the total stolen amount per victim decreased—from a peak of $1.5 billion in 2024 to $713 million in 2025. This indicates that attackers are targeting more users, but the amount stolen from each victim is smaller—a noteworthy shift.

Unequal Distribution of Risks

Ethereum and Tron have the highest theft rates (measured by crime per 100,000 wallets). Despite the large user bases of platforms like Base and Solana, their victimization rates are lower. This shows that risks to individual wallets are not evenly distributed across the crypto ecosystem. Factors beyond technical vulnerabilities—such as user demographics, popular applications, and criminal infrastructure—play significant roles in determining theft likelihood.

Unexpected Improvements in DeFi Security

Despite North Korean hackers experiencing a “bumper year” in 2025, there are encouraging signs in the crypto ecosystem—namely, improving security in DeFi.

DeFi TVL Rises While Attack Losses Remain Stable

Data reveals three distinct phases:

• 2020-2021: DeFi TVL and hacker attack losses grow in tandem.
• 2022-2023: Both metrics decline together.
• 2024-2025: TVL rebounds, while hacker losses remain stable.

This divergence is particularly notable. Although DeFi TVL has significantly recovered from 2023 lows, losses from hacker attacks have not increased correspondingly. Despite billions flowing back into these protocols, DeFi hacking incidents remain at relatively low levels, marking a significant shift.

Two factors explain this divergence. First, improved security measures—DeFi protocols may be implementing more effective defenses than during 2020-2021. Second, a shift in targets—rising incidents of personal wallet thefts and attacks on centralized services suggest that attackers are redirecting their focus.

Successful Defense Case: Venus Protocol

The Venus protocol incident in late 2025 exemplifies how enhanced security measures are producing tangible results.

Attackers exploited a compromised Zoom client to gain system access and tricked a user into granting authorization for an account valued at $13 million. This could have been catastrophic, but Venus had activated Hexagate security monitoring just a month earlier.

The platform detected suspicious activity 18 hours before the attack and issued an alert immediately when malicious transactions occurred. Within 20 minutes, Venus paused its protocol, preventing any fund movement. The response was swift and effective:

• After a 5-hour security review, some functions were restored.
• Within 7 hours, the attacker’s wallet was forcibly liquidated.
• All stolen funds were recovered within 12 hours, and services resumed.

Most notably, Venus passed a governance proposal to freeze $3 million of assets still controlled by the attacker. The attacker not only failed to profit but also lost funds.

Evolving Tactics and Future Threats from North Korean Hackers

The reason North Korean hackers achieved a “bumper year” in 2025 is not only the increase in stolen funds but also their continuous evolution in attack methods.

From Internal Penetration to Sophisticated Social Engineering

Increasingly, North Korean hackers insert IT personnel into crypto services to gain privileged access. Recently, however, related North Korean hacker groups have completely overturned this model. They no longer just apply for positions and infiltrate as employees; instead, they impersonate recruiters from well-known Web3 and AI companies, meticulously orchestrate fake recruitment processes, and under the guise of “technical screening,” obtain victims’ login credentials, source code, and VPN or SSO access of their current employers.

At the executive level, similar social engineering tactics appear as fake strategic investors or acquisition contacts. They use pitch meetings and fake due diligence to probe sensitive system information and high-value infrastructure. This evolution directly builds on earlier IT worker fraud schemes.

Targeted Attacks on High-Value Targets

From 2022 to 2025, North Korean hackers focus on the highest-value thefts, with their attacks concentrated in the upper echelons of the scale distribution. This pattern further indicates that when they launch attacks, they target large services to maximize impact.

Strategic Adjustment of Attack Pace

The three largest attacks in 2025 accounted for 69% of total losses, with the largest attack-to-median ratio exceeding 1000 times for the first time. The impact of the Bybit incident on their annual activity pattern shows that after a major theft, they tend to slow down operations and focus on laundering.

Challenges in 2026

The “bumper year” performance of North Korean hackers in 2025 reveals the complex reality of current crypto security. While defenses in DeFi are improving and successful cases like Venus demonstrate effective responses, the record-high theft of funds indicates that the entire ecosystem remains under serious threat.

For the crypto industry, this evolution calls for heightened vigilance toward high-value targets and improved detection of North Korean-specific laundering patterns. Their continued preference for Chinese escrow services, cross-chain bridges, and specific transfer amounts offers opportunities for detection, setting them apart from other criminals and aiding investigators in identifying on-chain behaviors.

As North Korea continues to leverage cryptocurrency theft to fund national priorities and evade international sanctions, the crypto industry must recognize that North Korean operations differ fundamentally from typical cybercriminals. Their record-breaking performance in 2025—achieving a significant increase in stolen funds despite a 74% reduction in known attacks—suggests that only the most visible parts of their activity are currently being observed.

The key challenge for 2026 is to detect and prevent similar large-scale attacks like the Bybit incident before they occur again. This requires the industry to enhance security measures while continuously monitoring and analyzing North Korean hackers’ unique operational patterns, providing data-driven support for future defense strategies.