The $2 Billion Heist: North Korea Smashes Crypto Theft Records in 2025

In 2025, hackers linked to North Korea stole a record-breaking two billion dollars in cryptocurrency—51% more than the previous year. Notably, the number of attacks declined even as the damage escalated. According to Chainalysis, the cumulative “take” of North Korean hackers since the onset of their operations has surpassed $6.75 billion, accounting for more than 75% of all cryptocurrency service breaches over the year.

The most devastating episode was the February breach of Bybit, a single incident that inflicted losses of $1.5 billion. Increasingly, North Korean operators are no longer forcing their way into systems but slipping in quietly—posing as IT specialists, recruiters, or investors. Once inside, they bide their time, meticulously planning thefts for maximum yield.

The stolen funds are laundered through a well-rehearsed pipeline. Within roughly 45 days, assets pass through mixers, cross-chain bridges, and exchanges before disappearing into Chinese-language services. This “chain” obscures traces and helps evade sanctions. Unlike other cybercriminals, North Korea makes little use of P2P or decentralized exchanges, which are deemed too conspicuous; instead, it favors closed, trusted channels.

At the same time, breaches of personal wallets have surged. In 2025, more than 158,000 such incidents were recorded, affecting at least 80,000 individuals. Yet hackers are stealing less per victim—the total damage fell to $713 million, nearly half of the prior year’s figure. Owners of Ethereum- and Tron-based wallets were most frequently targeted.

Against this backdrop, the DeFi sector has shown unexpected resilience. Despite the return of large capital inflows, the number of successful breaches has not increased. This may reflect stronger defenses or a shift in attackers’ priorities. A case in point is Venus Protocol: in September, attackers attempted to siphon off $13 million, but monitoring systems intervened in time. The funds were recovered, leaving the attacker at a loss.

The year 2025 marked an era of costly, precise, and covert attacks. North Korean hackers are operating with increasing discipline and effectiveness. Given their hallmark approach—fewer attacks, greater impact—the crypto industry must learn to distinguish these operations from routine cybercrime. Otherwise, another Bybit could strike at any moment.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy