Chainalysis report: North Korean hackers stole US$2 billion in crypto assets in 2025, with Bybit becoming the biggest victim
Blockchain analysis company Chainalysis pointed out in its "2026 Crypto Crime Report" released on December 18, 2025 that hacker groups related to North Korea stole at least US$2.02 billion in crypto assets in 2025, which not only set a new annual record, but also increased by approximately 51% from US$1.3 billion in 2024.
(Preliminary summary: Kimchi Premium VS state hackers, the secret war between North and South Korea behind Upbit’s several thefts)
(Background supplement: Security company: North Korean hackers have penetrated 15~20% of cryptocurrency companies)
The blockchain analysis company Chainalysis released "2026 Crypto Crime" on December 18, 2025. Report" pointed out that hacker groups related to North Korea (DPRK, Democratic People's Republic of Korea) stole at least $2.02 billion in crypto assets in 2025, which not only set a new annual record, but also increased by approximately 51% from $1.3 billion in 2024.
$3.4 billion was stolen in 2025
The report shows that the total amount of global cryptocurrency theft in 2025 reached $3.4 billion, of which North Korea-related attacks accounted for as high as 59%. This means that more than half of the stolen funds went to North Korean hackers.
Chainalysis analyzed that although the number of attacks by North Korean hackers decreased by 74% compared with the previous year, the scale and damage of each attack increased significantly, indicating that their methods have become more precise and efficient. Among them, the most representative case was the attack on the cryptocurrency exchange Bybit in February 2025, in which approximately $1.5 billion was stolen in a single incident. The attack also accounted for nearly 40% of the total stolen globally in 2025, making it the largest single theft in cryptocurrency history.
The report further states that North Korean hackers' "evolving" strategies include penetrating IT staff employed by cryptocurrency companies, poisoning public code libraries (such as NPM suites), and launching attacks against centralized platforms. The funds were allegedly used to fund North Korea's nuclear weapons and missile programs.
North Korean hackers have stolen a total of US$6.75 billion
Cumulatively, North Korean-related hackers have stolen at least US$6.75 billion in crypto assets since records began. In terms of money laundering patterns, Chainalysis identified its unique "three waves, 45 days" pattern: commonly used Chinese services, relying on cross-chain bridges and cryptocurrency mixers, and preferring small-amount transfers (mostly less than $500,000) to confuse tracking. Specifically, the North Korean team completes the laundering of funds within an average of 45 days:
- The first 5 days: Cut the stolen money into countless small amounts and distribute them to thousands of disposable wallets.
- Days 6 to 10: Transfer on multiple chains through cross-chain bridges.
- Days 20 to 45: Flow into the over-the-counter trading network, especially Chinese OTC and Asian underground banks, and then convert it into legal currency and remit it back to Pyongyang.
The report ultimately emphasizes that the cryptocurrency industry needs to increase vigilance and improve monitoring of this type of specific money laundering behavior to prevent a recurrence of hacking incidents similar to Bybit's scale in 2026.
