Crypto-focused intelligence firms and blockchain trackers report that North Korean state‑backed hacking groups extracted more than $2.02 billion in cryptocurrency in 2025 — a haul roughly 50% larger than 2024 and bringing total crypto thefts attributed to the regime since 2016 to about $6.75 billion. The single largest incident this year was a February breach of Dubai‑based exchange Bybit that resulted in approximately $1.5 billion in losses (source: https://finance.yahoo.com/news/north-korea-just-had-its-biggest-year-ever-stealing-cryptocurrency-130002485.html).

Operationally, the attackers are no longer limited to blunt-force exchange hacks. The preferred playbook today blends traditional exploit techniques with advanced chain-level laundering: rapid chain‑hopping through bridges, splitting funds across hundreds of wallets, conversion into privacy‑focused tokens, and use of decentralized finance rails (DEXs, lending pools, and automated market makers) to layer transactions and obscure provenance. Those tactics make attribution and recovery slower and more resource‑intensive for investigators.

The attackers have adapted to on‑chain surveillance countermeasures. Instead of moving funds directly through sanctioned mixers, operators now use staged swaps, time‑delayed transfers, and third‑party smart contracts that emulate normal DeFi activity while peeling off value into controlled vaults. In several observed cases this year, stolen assets were tokenized, routed through yield strategies, and then consolidated via cross‑chain bridges — a pattern that leverages liquidity and obfuscation at scale.

That evolution changes the risk profile for custodians and exchanges. Large centralized platforms face greater exposure to "hot" wallet compromises and trickle‑on liquidity shocks if stolen assets are reintroduced via DEXs or wrapped tokens. For market infrastructure and insurers, the mix of cross‑chain complexity and DeFi integration raises the bar for compliance tooling: faster wallet triage, cross‑chain tracing, and real‑time flagging of suspicious liquidity pools are increasingly necessary to limit contagion.

On the geopolitical side, the numbers matter: these thefts represent a meaningful revenue stream that can be repurposed to circumvent sanctions and to finance military programs. That linkage has prompted the US Senate to call for formal investigations into how decentralized finance protocols and cross‑chain infrastructure are being exploited to fund the regime, and to examine gaps in the current sanctions and enforcement architecture.