The cryptocurrency ecosystem endured another bruising year in 2025, with stolen funds continuing their upward trajectory and attack patterns growing more extreme. New analysis from blockchain intelligence firm Chainalysis shows that while some areas of crypto security have improved, attackers — particularly North Korean state-linked groups — are achieving fewer but far more devastating breaches.
From January through early December 2025, more than US$3.4 billion in cryptocurrency was stolen globally. Nearly half of that total came from a single incident: the US$1.5 billion Bybit hack in February, now one of the largest crypto thefts ever recorded. Beyond the headline figure, however, the data reveal deeper structural shifts in how crypto crime is unfolding across centralized platforms, decentralized finance (DeFi), and individual users.
Crypto theft has always been outlier-driven, but 2025 marked a new extreme. For the first time, the ratio between the largest hack and the median incident exceeded 1,000 to 1, meaning the biggest breach was more than a thousand times larger than a typical theft. The top three hacks alone accounted for 69% of all service-related losses, concentrating risk into a handful of catastrophic events.
Centralized services remain particularly vulnerable. Although large exchanges and custodians invest heavily in professional security teams, private key compromises continue to represent a fundamental weakness. Such incidents are relatively rare, but when they occur, they are massive. In the first quarter of 2025, private key compromises accounted for 88% of all stolen value from services.
The most consequential threat actor remains the Democratic People’s Republic of Korea (DPRK). In 2025, North Korean hackers stole at least US$2.02 billion in cryptocurrency, a 51% increase over 2024 and the highest annual total ever attributed to the country. DPRK-linked operations were responsible for a record 76% of all service compromises, pushing the estimated cumulative total of North Korean crypto theft to US$6.75 billion.
Strikingly, this record haul was achieved with far fewer known attacks. Analysts attribute the shift to a strategy focused on patience, access, and scale. Rather than frequent smaller hacks, DPRK-linked actors appear to concentrate on penetrating high-value targets and extracting enormous sums in single operations — as seen with Bybit.
A key enabler is the regime’s evolving IT worker infiltration model. North Korean operatives embed themselves inside exchanges, custodians, and Web3 firms to gain privileged access. More recently, they have inverted the model entirely, impersonating recruiters at major crypto and AI companies. Victims are lured into fake hiring processes or investor meetings designed to harvest credentials, source code, and access to corporate systems.
The scale of DPRK thefts has also provided unprecedented insight into how a nation-state launders crypto. Unlike other cybercriminals, North Korean actors move stolen funds in smaller on-chain tranches, with over 60% of transfers below US$500,000, even though the total sums stolen are far larger. This contrasts with non-DPRK criminals, who typically move funds in multi-million-dollar chunks.
Chainalysis data show clear preferences in laundering infrastructure. DPRK-linked actors rely heavily on Chinese-language money laundering and guarantee services, cross-chain bridges, and mixing services, while largely avoiding lending protocols, peer-to-peer exchanges, and even no-KYC platforms more commonly used by other criminals. This pattern suggests tight integration with professional illicit networks across the Asia-Pacific region, consistent with Pyongyang’s historical reliance on China-based financial intermediaries.
Following major hacks, DPRK laundering tends to unfold in three waves over roughly 45 days: an initial rush to distance funds via DeFi protocols and mixers; a transitional phase using bridges and limited-KYC exchanges; and a final integration phase involving Chinese-language services, instant exchanges, and selected centralized platforms. The consistency of this timeline offers valuable intelligence for law enforcement and compliance teams.
While nation-state hacks dominate headlines, personal wallet compromises remain a growing concern. Theft incidents surged to 158,000 in 2025, nearly triple the number recorded in 2022, with at least 80,000 unique victims. This growth reflects expanding crypto adoption, particularly on networks like Solana, which recorded the highest number of affected users.
Yet despite more victims, the total value stolen from individuals fell from US$1.5 billion in 2024 to US$713 million in 2025. Attackers appear to be targeting more users but extracting smaller amounts per wallet. Risk also varies significantly by network: Ethereum and Tron show the highest theft rates per active wallet, while Solana and Base exhibit lower victimization rates despite large user bases.
One of the most unexpected findings in 2025 is the divergence between DeFi growth and hack losses. Total value locked (TVL) in DeFi rebounded strongly from 2023 lows, yet thefts remained suppressed. This breaks with earlier cycles where rising TVL reliably attracted more attacks.
Improved security appears to be a key factor. The September 2025 incident at Venus Protocol illustrates the shift. Thanks to real-time monitoring and rapid governance action, Venus detected and neutralized an attempted US$13 million exploit within hours, ultimately recovering all funds and freezing remaining attacker assets. In a notable reversal, the attacker ended up losing money.
The 2025 data paint a complex picture. Crypto crime is not disappearing; it is concentrating, professionalizing, and, in the case of North Korea, becoming more strategic. The DPRK’s ability to steal more with fewer attacks underscores a growing sophistication that poses systemic risks to high-value platforms.
As cryptocurrency continues to mature, the challenge for 2026 will be preventing these rare but devastating breaches. Detecting DPRK’s distinctive laundering patterns, hardening centralized key management, and extending the security gains seen in DeFi will be critical. The lesson of 2025 is clear: in crypto, a single successful attack can still define an entire year.
