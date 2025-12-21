North Korea's hackers pulled off fewer but larger crypto heists, making up over 60 percent of global thefts, Chainalysis said.

North Korea–linked hacking groups has stolen more cryptocurrency than anyone else in 2025, siphoning off more than $2 billion as their operations became fewer but more targeted and higher impact, according to new research.

North Korean hackers stole about $2.02 billion worth of digital assets from January through early December, up 51 percent from a year earlier, global blockchain analytics firm Chainalysis said in a report released this week.

The findings, part of Chainalysis’s annual overview of crypto crime, show global cryptocurrency theft reached about $3.4 billion this year, with North Korean operations accounting for nearly 60 percent of the total.

That pushed North Korea’s cumulative cryptocurrency theft to roughly $6.75 billion, the report showed.

Fewer attacks, bigger impact

While the overall number of hacking incidents linked to North Korea fell 74 percent from 2024, their impact grew sharply. North Korean groups accounted for a record 76 percent of all service-level compromises, excluding personal wallet hacks, underscoring a shift toward fewer but significantly larger breaches.

Chainalysis said the divergence has become more pronounced over time. Non–North Korean attackers showed a relatively even distribution across theft sizes this year, while North Korean operations dominated the highest-value ranges.

“When North Korean hackers strike, they target large services and aim for maximum impact,” the report said.

Their tactics reflect a move away from exploiting decentralized finance vulnerabilities toward centralized exchanges and custodians as DeFi security improves. The $1.5 billion breach at Dubai-based exchange Bybit in February, the largest crypto heist on record, illustrates the scale of that approach.

The report pointed to insider infiltration as a key driver behind North Korea’s ability to execute such high-value thefts.

“North Korean threat actors are increasingly achieving these outsized results by embedding IT workers inside crypto services to gain privileged access and enable high-impact compromises,” Chainalysis said.

45-day laundering pipeline

Chainalysis also highlighted the growing sophistication of North Korea’s laundering methods, with stolen funds increasingly split into smaller tranches. More than 60 percent of the total volume seized was transferred on-chain in amounts below $500,000 per transaction, compared with a majority of transfers by other actors concentrated above $1 million.

The laundering patterns reflect structural constraints facing North Korean groups, including limited access to the global financial system and a reliance on multiple layers of external facilitators.

In recent years, North Korea’s laundering has typically unfolded in stages over roughly 45 days following a major theft, with funds initially moved quickly to distance them from their source before gradually entering the broader crypto ecosystem through exchanges, bridges and mixing services.

Throughout the process, North Korean actors relied heavily on Chinese-language money-laundering networks and showed a preference for tools that complicate tracing and obscure fund flows.

The report specifically cited Huione Group as a key facilitator. The US government this year identified the Cambodia-based firm as a critical node for laundering proceeds from North Korean cyber heists, estimated to be at least $4 billion between 2021 and early 2025, and barred US financial institutions from doing business with Huione, either directly or indirectly.

Beyond fake IT workers

The report also warned that North Korea’s infiltration methods are becoming more orchestrated and insidious, evolving beyond simple impersonation of IT employees.

Instead, attackers increasingly pose as recruiters at well-known Web3 and AI companies, running fake hiring processes to trick targets into handing over login details, internal code, or remote access to their employers’ systems. In other cases, they present themselves as potential investors, using staged pitches and meetings to quietly gather information about internal networks and possible points of entry.