Cryptocurrency thefts in 2025 reach a turning point: North Korea's attacks hit a record high of $2.02 billion, and the money laundering cycle lasts approximately 45 days.

Headline Highlights:

The cryptocurrency industry faces a severe trial in 2025. According to Chainalysis data, the total stolen funds this year exceeded $3.4 billion, with a single major incident accounting for $1.5 billion. Even more alarming is the increasing sophistication of attack methods, making defenses more difficult.

The most concerning phenomenon is that, despite a decrease in confirmed attack incidents, the amount stolen per incident has surged dramatically. The ratio of losses from the largest attacks to average incidents has surpassed 1,000 times for the first time, exceeding the levels seen during the 2021 bull market.

North Korea Breaks Records: Over $2.02 Billion Stolen

In 2025, hacker groups linked to North Korea have stolen at least $2.02 billion, a 51% increase year-over-year. This marks the most serious year in North Korea’s crypto theft history, accounting for 76% of all confirmed attack incidents.

Cumulatively, North Korea has stolen at least $6.75 billion worth of cryptocurrencies, a scale unmatched by other hacker groups.

The evolved tactics of North Korean hackers are becoming evident. Previously, infiltration was mainly through posing as IT personnel, but now they:

• Impersonate recruiters at well-known Web3 and AI companies, using fake hiring processes to obtain login credentials and source code
• Pretend to engage with targeted executives as fraudulent investors or acquirers to gain system information and access to high-value infrastructure
• Use complex attacks on private key management and signing authentication processes to bypass cold wallet protections

These methods are concentrated on AI and blockchain companies of strategic importance, likely backed by state-level funding and efforts to evade international sanctions.

Top 3 Major Incidents Account for 69% of Total Losses

2025 data indicates an “extreme” trend in the crypto industry. Funds stolen in the largest attacks reach levels 1,000 times those of typical incidents, with 69% of total losses concentrated in the top three cases.

This high concentration suggests that security weaknesses are focused on specific platforms. Attackers target large-scale services, adopting strategies aimed at maximum impact, where a single successful attack can influence the overall annual security assessment.

In the personal wallet sector, incidents surged to 158,000 (about three times the 54,000 in 2022), with victims reaching 80,000. However, the average loss per incident is decreasing, indicating that while attackers target more users, the scale of individual damages is shrinking.

Particularly notable is Solana, with approximately 26,500 victims reported, highlighting serious issues in individual wallet security.

North Korea’s Unique Money Laundering Model: A 45-Day Structured Process

After large-scale thefts, North Korean hackers deploy highly structured money laundering methods. This process unfolds over approximately 45 days, divided into multiple stages.

Stage 1 (0–5 days): Immediate Dispersion

• Influx into DeFi protocols surges by +370%
• Use of mixing services increases by +135–150%
• The primary goal is “immediate separation from the stolen source”

Stage 2 (6–10 days): Wide-area Diffusion

• Transition to less KYC-restricted trading platforms (+37%)
• Gradual inflow into centralized exchanges (+32%)
• Dispersal across chains via cross-chain bridges (+141%)

Stage 3 (20–45 days): Final Cash-Out

• Significant increase in use of non-KYC platforms (+82%) and collateral services (+87%)
• Active use of Chinese-language money laundering networks (+33–1000%+)
• Ultimately converting into fiat currency or other assets

What sets North Korean hackers apart from other cybercriminals is their extreme reliance on Chinese-language laundering services and collateral networks. Over 60% of transactions are split into small amounts under $50,000, employing a “fragmentation strategy” to evade tracking.

Conversely, North Korean hackers almost do not use:

• Lending protocols (-80%)
• KYC-free trading platforms (-75%) despite apparent contradiction
• P2P platforms (-64%)
• DEXs (-42%)

This pattern suggests that North Korea’s operations depend on trusted local partners rather than high-risk, open services, favoring reliable intermediaries.

Evolution of DeFi Security: Despite Rising TVL, Hacking Losses Remain Low

An intriguing phenomenon observed in 2024–2025 is that, despite the total value locked (TVL) in DeFi recovering significantly from 2023 lows, hacking losses remain at historically low levels.

2020–2021: Both TVL and hacking losses increase simultaneously 2022–2023: Both decline concurrently 2024–2025: TVL recovers, but hacking losses stay stable and low

This shift has two key implications:

Improved Security Measures The early DeFi era (2020–2021) was marked by extremely vulnerable protocols. The fact that hacking losses have not increased with TVL growth indicates that protocol development teams have significantly strengthened security implementations.

Shift in Attack Targets The simultaneous rise in personal wallet thefts and attacks on centralized services suggests that attackers are shifting focus away from DeFi toward other targets.

A case in point is the September 2025 protocol incident, which demonstrated the effectiveness of improved security infrastructure. When a breach occurred, security monitoring platforms detected suspicious activity 18 hours in advance. The protocol was halted within 20 minutes, preventing fund outflows, and all stolen funds were recovered within 12 hours. Notably, $3 million controlled by the attacker through governance was frozen, resulting in the attacker losing funds instead of gaining.

This rapid and effective response marks a fundamental change from the early DeFi days, where attacks often resulted in permanent losses.

Challenges and Industry Implications for 2026

The 2025 data reveals a paradox: North Korea has reduced confirmed attack incidents by 74% while increasing the stolen amount by 51%. This suggests that visible activity may only represent a small part of actual operations.

The biggest challenges for the crypto industry in 2026 include:

Enhancing Detection of North Korea’s Unique Money Laundering Traits Identifying specific service types, transfer patterns, Chinese-language network usage, and other behavioral traits unique to North Korean hackers will enable earlier intervention.

Strengthening Defense of High-Value Targets While attack frequency has decreased, their destructive potential has increased. Vigilance against advanced tactics like employment scams and social engineering is essential, especially for strategically important companies such as AI and blockchain firms. Traditional security measures are no longer sufficient.

Improving Monitoring and Response Capabilities As demonstrated by the Venus incident, proactive monitoring, rapid response, and decisive governance mechanisms can minimize damage. Industry-wide standardization of such security practices is necessary.

North Korea’s thefts are not merely cybercrimes but part of strategic national activities. Tracking their evolving tactics and operational methods is crucial for raising the overall security level of the industry.