In 2025, North Korean hackers stole a record $2 billion in cryptocurrency , 51% more than the previous year.
However, the number of attacks has decreased, while the damage has increased. According to Chainalysis, North Korean hackers’ total haul since the start of operations has exceeded $6.75 billion. The country was responsible for over 75% of all cryptocurrency cyberattacks this year.
The most devastating incident was the Bybit cyberattack in February , a single incident that caused $1.5 billion in damages. Increasingly, North Korean hackers aren’t storming systems, but rather sneaking in, posing as IT specialists, recruiters, or investors. Once they gain access, they take their time, planning the theft to maximize its impact.
The stolen funds are disposed of using a well-established scheme.
Over the course of 45 days, the funds pass through mixers, cross-chain bridges, and exchanges until they are finally absorbed into Chinese-language services. This “chain” helps hide their tracks and evade sanctions. Unlike other cybercriminals, North Korea rarely uses peer-to-peer networks or decentralized exchanges: they are too visible. Preference is given to closed and reliable channels.
At the same time, the number of cyber attacks on personal wallets is growing. In 2025, over There were 158,000 such incidents , affecting at least 80,000 people . But hackers are now stealing less from each individual: damages have dropped to $713 million, almost half the previous year’s total . Ethereum and Tron wallet owners were the most frequently attacked.
In this context, the DeFi sector is suddenly showing resilience.
Although large sums of money have returned, the number of cyberattacks has not yet increased. This could be due to improved security or a shift in attacker interests. Take Venus Protocol, for example: in September, attackers attempted to withdraw $13 million, but the monitoring system blocked the attack. The funds were recovered, and the attacker found himself in the red.
2025 has become a year of costly, precise, and stealthy attacks.
North Korean hackers are operating with precision and increasing effectiveness. Given their style—fewer attacks, more damage—the cryptocurrency industry must learn to distinguish their activities from traditional cybercrime. Otherwise, the next Bybit could happen at any moment.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
