North Korean hackers now dominate crypto theft — and compliance is racing to catch up

CertiK, Chainalysis and Elliptic all say DPRK‑linked hackers stole about 60% of 2025’s $3.4B crypto theft, including an estimated $2.02B taken by North Korean groups.

Blockchain security firm CertiK says North Korean state-linked hacking groups were responsible for roughly 60% of all crypto stolen in 2025, cementing the DPRK as the single most dangerous actor in the space. That share lines up with independent estimates from Chainalysis and others, which found that North Korea stole about $2.02 billion in digital assets last year out of roughly $3.4 billion in total global crypto thefts.

Chainalysis’ 2026 Crypto Crime Report, cited by outlets such as Fortune and the Korea Herald, puts global 2025 crypto theft at around $3.4 billion, with North Korean operations accounting for “nearly 60%” of that figure. The firm estimates that DPRK-linked hackers stole at least $2.02 billion worth of crypto last year — a 51% increase from 2024 — pushing the regime’s all‑time haul to about $6.75 billion, even as the number of confirmed incidents fell. Elliptic’s separate analysis is broadly consistent, concluding that North Korea–linked groups had already stolen “over $2 billion” in 2025 by early October, before the final wave of attacks.

The scale is being driven by fewer but much larger heists. Elliptic and Chainalysis both highlight February’s Bybit hack — variously estimated at around $1.46 billion to $1.5 billion — as the single biggest crypto theft in history, and one that U.S. authorities quickly attributed to North Korean actors. Other 2025 attacks linked to DPRK groups include the compromises of LND.fi, WOO X and Seedify, along with dozens of smaller service breaches and wallet‑draining campaigns. In aggregate, researchers say North Korean hackers were responsible for somewhere between 60% and “more than half” of all crypto stolen from centralized services and DeFi protocols last year, depending on how the sample of tracked incidents is defined.

The operational pattern has shifted as well. Instead of relying primarily on “spray and pray” phishing or brute‑force smart‑contract exploits, DPRK actors increasingly embed IT workers inside exchanges, custodians and Web3 companies to gain privileged access from the inside, according to Chainalysis and Elliptic. Chainalysis notes that North Korea is “achieving larger thefts with fewer incidents,” and that more than 60% of funds stolen in 2025 were laundered in tranches below $500,000 per transaction — a shift away from the million‑dollar‑plus lumps that used to define nation‑state laundering.

Those stolen assets have geopolitical consequences. The United Nations and multiple government agencies believe the proceeds are used to finance North Korea’s nuclear weapons and ballistic missile programs, with some estimates suggesting the 2025 take alone could amount to roughly 13% of the country’s GDP. That reality is why CertiK and other security firms frame the threat as systemic and “nation-state level,” not just another wave of opportunistic DeFi hacks — and why they argue that more sophisticated on‑chain compliance tooling, address screening and behavioral analytics are becoming non‑negotiable for exchanges, protocols and even wallets.

As one summary from Tom’s Hardware put it, the “infernal milestone” of $2.02 billion stolen — nearly 60% of all crypto theft in 2025 — is both a security and a policy problem, and it is pushing regulators to look harder at where hacks are happening, how quickly stolen assets are being frozen, and whether existing KYC/AML frameworks are anywhere near fit for purpose in a world where a single hostile state can drain billions from poorly defended platforms.