Hackers from the Democratic People’s Republic of Korea, also known as the DPRK or North Korea, have stolen $2.02 billion worth of crypto so far in 2025, a Chainalysis report revealed Thursday.
This represents a 51% increase from last year’s figure, and is the largest year on record for DPRK-related crypto theft. As a whole, crypto has seen $3.4 billion in thefts this year, the report says, meaning that DPRK attacks account for 59% of these stolen funds.
Chainalysis believes that the data shows an “evolution” from North Korea, as they start to commit fewer attacks but inflict significantly more damage with each strike. February’s $1.5 billion Bybit attack, which the FBI linked to the DPRK, is a key example of this evolution.
“For the cryptocurrency industry, this evolution demands enhanced vigilance around high-value targets and improved detection of DPRK's specific laundering patterns,” the report states. “Their consistent preferences for certain service types and transfer amounts provide detection opportunities, distinguish them from other criminals, and can help investigators identify their on-chain behavioral footprint.”
Chainalysis claims to have identified a distinct three-wave, 45-day-long laundering pattern that DPRK attackers usually follow. Identifiers include using Chinese-language services, heavy reliance on bridging assets cross-chains to confuse tracking, and greater use of crypto mixing services. This pattern, the report says, has persisted over the past few years.
Chainalysis did not respond to Decrypt’s request for comment on how analysts know these attacks were from the DPRK and not other groups.
Increasingly, attacks are coming from malicious actors being hired by crypto companies. The attacker then works to gain privileged access before stealing important information or funds.
Binance told Decrypt in the summer that North Korean hackers attempt to get hired by the major centralized exchange every single day. Jimmy Su, Binance’s chief security officer, explained that attackers may even use AI-generated live video and voice changers on calls in an attempt to get hired. The exchange has identified several common telltale signs of DPRK attackers, and shares this intelligence with other crypto exchanges via Telegram and Signal.
On top of this, North Korean hackers were found poisoning NPM packages, regularly used public code libraries, to infiltrate projects. Again, Binance acknowledged this threat and claims its developers are forced to go through every code library with a fine-tooth comb.
“As North Korea continues to use cryptocurrency theft to fund state priorities and circumvent international sanctions, the industry must recognize that this threat actor operates by different rules than typical cybercriminals,” the Chainalysis report said. “The country’s record-breaking 2025 performance—achieved with 74% fewer known attacks—suggests we may be seeing only the most visible portion of its activities.”
“The challenge for 2026 will be detecting and preventing these high-impact operations before DPRK-affiliated actors inflict another Bybit-scale incident,” it finished.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
