North Korean hackers allegedly stole record $2.02 billion of cryptocurrency in 2025. Here's how they did it

North Korea remains dominant threat to cryptocurrency security in 2025, even while confirmed incidents have decreased, according to a report by blockchain analytics company Chainanlysis.

Hackers from the Democratic People's Republic of Korea (DPRK) allegedly stole a record $2.02 billion of crypto this year — a 51% jump compared to 2024, and taking their all-time total to $6.75 billion, it added.

The analysis further found that the DRPK is achieving larger thefts with fewer incidents, using unique methods to gain access and pull off their heists.

How much did North Korean hackers manage to steal?

• As per the report, in 2025, North Korean hackers stole at least $2.02 billion in cryptocurrency ($681 million more than 2024), representing a 51% jump YoY.
• This takes the lower-bound cumulative estimate for all cryptocurrency funds stolen by the DPRK to $6.75 billion.
• Overall, the DPRK also accounted for a record 76% of all service compromises.
• For money laundering, the DPRK showed clear preferences for Chinese-language services, bridge services, and mixing protocols, with a 45-day laundering cycle following major thefts, it alleged.
• In terms of the targets, individual wallets comprised around 1,58,000 of the reported incidents affecting 80,000 unique victims in 2025. However, the total value stolen, at $713 million, decreased from 2024.
• The report further noted that hack losses remained suppressed in 2024-2025, suggesting that various security practices are making a meaningful difference.

North Korea's alleged crypto heists: Here's how they did it

As per the report, these hacks were often carried out in unique fashion by embedding IT workers inside crypto services or using sophisticated impersonation tactics targeting executives.

Embedding IT workers

This is among the DPRK's “principal attack vectors”, the report said. It added that the hackers secured jobs inside crypto services to gain privileged access and enable high‑impact compromises.

“Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and web3 firms, which can accelerate initial access and lateral movement ahead of large‑scale theft,” it noted.

Fake jobs

Further, taking the IT worker model and “flipping it on its head”, the analysis said that DPRK-linked operators are also increasingly impersonating recruiters for prominent web3 and AI firms. This way, they orchestrate fake hiring processes that culminate in “technical screens” designed to harvest credentials, source code, and VPN or SSO access to the victim’s current employer.

“At the executive level, a similar social‑engineering playbook appears in the form of bogus outreach from purported strategic investors or acquirers, who use pitch meetings and pseudo–due diligence to probe for sensitive systems information and potential access paths into high‑value infrastructure,” it added.

Higher- value attacks

Over the years, DPRK-linked operators are increasingly undertaking significantly higher-value attacks compared to other threat actors. “This pattern reinforces that when North Korean hackers strike, they target large services and aim for maximum impact,” the report added.

It noted that “this year’s record haul came from significantly fewer known incidents”, including the massive $1.5 billion Bybit hack in February 2025.

DPRK’s distinctive laundering patterns

Not just the hacking process, the laundering of stolen funds is also distinctive, the report said. It noted that more than 60% of laundering was of volume concentrated below $5,00,000 transfer value tranches, despite the total stolen amounts being larger.

“Even while the DPRK consistently steals larger amounts than other stolen fund threat actors, they structure on-chain payments in smaller tranches, speaking to the sophistication of their laundering,” it added.

DPRK hackers tend to strongly prefer:

• Chinese-language money movement and guarantee services (+355% to +1000%+): Their most distinctive characteristic, showing heavy reliance on Chinese-language guarantee services and money laundering networks comprised of many different laundering operators that may have weaker compliance controls.
• Bridge services (+97% difference): Heavy reliance on cross-chain bridges to move assets between blockchains and attempt to complicate tracing.
• Mixing services (+100% difference): Greater use of mixing services to attempt to obscure the flow of funds.
• Specialized services like Huione (+356%): Strategic use of specific services that facilitate their laundering operations.