North Korean-linked hackers significantly expanded their crypto theft operations in 2025, stealing more than $2 billion in digital assets, according to a new report from blockchain analytics firm Chainalysis. The figure represents a 51% increase from the previous year and brings the regime’s cumulative crypto proceeds to an estimated $6.7 billion since it began targeting the sector in 2016. The findings highlight the growing scale and sophistication of state-backed cybercrime within the digital asset market.
Despite the higher total haul, Chainalysis observed a sharp decline in the number of attacks, with incidents falling by roughly 74% year over year. Instead, North Korean operatives concentrated on fewer, high-impact breaches targeting major exchanges and custodial platforms rather than individual users or smaller decentralized finance protocols. In 2025, they accounted for 76% of all significant platform and exchange hacks, the highest share on record.
Shift Toward High-Impact Operations
The change in tactics reflects a deliberate move toward maximizing returns per operation. Chainalysis reported that the largest North Korean hack this year was roughly 1,000 times larger than the average crypto theft. A February breach at Bybit alone resulted in losses of approximately $1.5 billion, accounting for nearly three-quarters of the regime’s total annual haul.
Rather than relying solely on external exploits, North Korean actors increasingly embedded operatives within crypto companies to gain privileged access. Security researchers estimate that between 30% and 40% of job applications received by crypto firms may be linked to North Korean operatives attempting to infiltrate internal systems. This insider approach allows attackers to bypass traditional perimeter defenses and execute large-scale thefts with minimal detection.
Evolving Social Engineering and Institutional Risk
Chainalysis also documented a shift in social engineering techniques. Operatives have begun impersonating recruiters from well-known crypto and artificial intelligence firms, orchestrating fake hiring processes to harvest credentials, source code, and network access from unsuspecting victims. These efforts often leverage global freelance platforms, enabling attackers to operate across borders with relative ease.
At the executive level, similar tactics include outreach from purported strategic investors or acquisition partners, designed to gain sensitive information. Former FBI agent Chris Wong of TRM Labs described the activity as more than a cybersecurity issue, noting its implications for sanctions enforcement, financial crime prevention, and national security.
The report underscores growing institutional concerns as regulators and exchanges face heightened pressure to strengthen internal controls. As crypto markets mature and attract more institutional capital, the concentration of assets within centralized platforms continues to present lucrative targets for state-backed actors.