How North Korea Allegedly Stole $2 Billion in Crypto in 2025

According to Chainalysis’ latest Crypto Crime Report, the global cryptocurrency industry lost more than $3.4 billion to theft in 2025, with groups linked to North Korea responsible for a large share of the stolen funds. 

The report estimates that North Korea-linked actors stole at least $2.02 billion in crypto in 2025 alone, reinforcing their position as one of the most serious nation-state threats in the digital asset world.

Fewer attacks, bigger damage

The story of 2025 is not that there were more hacks than before. The story is that a few attacks were so large that they changed everything.

One of the biggest examples was the Bybit exchange breach in February 2025, where attackers allegedly stole around $1.4 to $1.5 billion. That single incident made up a very large portion of all crypto stolen globally in the year.

This points to a new pattern in crypto crime: fewer major attacks, but far more destructive outcomes when they succeed.

Why North Korea stands out

Many cybercriminals behave like fast thieves. They rush, make mistakes, and take what they can. Chainalysis describes a different pattern with North Korea-linked actors. Their operations tend to be more patient and strategic. 

They carry out fewer known attacks, but extract larger sums per incident. The report also says their ability to move and hide stolen funds has improved over time.

The tactics: infiltration, impersonation, and deception

Rather than only trying to hack from the outside, the report describes how these groups allegedly get inside crypto companies first.

One method is embedding fake IT workers in exchanges, custodians, and Web3 firms using stolen or fabricated identities. If they get hired into remote roles, they can gradually gain access to internal systems and sensitive privileges.

The report also notes a rise in impersonation tactics, such as posing as recruiters or investors. In these cases, criminals run fake hiring processes or partnership talks to harvest passwords, access keys, and internal credentials.

It wasn’t only exchanges: personal wallets were hit too

Beyond large exchange breaches, Chainalysis also points to a sharp rise in personal wallet compromises. These attacks rely heavily on social engineering, phishing links, fake support accounts, impersonation scams, and messages designed to trick people into handing over access.

In many cases, victims do not lose money because the blockchain was “broken”. They lose money because someone convinced them to give up control.

The key lesson for 2026

The main takeaway from 2025 is clear: crypto has become a high-value financial system, and criminals now target it like one. The most dangerous attackers are organised, patient, and strategic. 

The strongest defence is not only better technology but also better security habits, strong verification, tight access control, and refusing to trust random messages, links, or “support agents” online.