Chainalysis research shows North Korean-linked actors stole at least $2.02 billion in cryptocurrency during 2025 — a 51% increase over 2024 — bringing their cumulative haul to about $6.75 billion. The pattern is not one of quantity but of selective scale: fewer incidents but much larger, more sophisticated operations. (Source: https://www.livemint.com/market/cryptocurrency/north-korean-hackers-allegedly-stole-record-2-02-billion-cryptocurrency-in-2025-how-11766281879521.html)
What changed in 2025
- Higher-impact targeting: Attack counts fell while median loss per incident rose, as actors focused on major custodians, bridge liquidity pools and centralized services where a single compromise yields outsized value.
- Complex human-in-the-loop tactics: Beyond pure code exploits, operations increasingly used social engineering and long-term access strategies — embedding IT workers or contractors inside crypto firms and deploying impersonation campaigns to escalate privileges.
- Sophisticated laundering chains: Stolen funds moved through Chinese-language onramps and laundering services, exploited cross-chain bridges to obscure provenance, and made heavy use of mixing protocols and decentralized exchange (DEX) routing to fragment and reconstitution value.
Operational mechanics observed
- Initial access: Phishing and credential harvesting remained common, but lateral movement and privilege escalation were frequently achieved with insider help and time-phased account compromises.
- Value extraction: Large withdrawals were scheduled around liquidity windows and used multi-hop transfers that minimized on-chain tracing signals while exploiting cross-chain interoperability gaps.
- Money movement: Funds were consolidated into pools routed through multiple bridge smart contracts and then split across dozens of addresses before entering mixing services and low-friction Chinese-language OTC desks.
Why this matters for market participants
- Counterparty and custody risk: Institutional custodians, exchanges and liquidity providers must recalibrate exposure models to account for high-severity, low-frequency compromises that can move billions in single events.
- AML and compliance gaps: Traditional sanctions screening and single-chain heuristics are less effective when laundering leverages cross-chain primitives and non-English laundering ecosystems.
- Insurance and capital allocation: Underwriters and treasury managers will need more granular scenario analysis that incorporates insider threat vectors and the systemic effects of large bridge exploits.
Practical defensive moves (actionable)
- Strengthen personnel security: Expand vetting, continuous access reviews, and zero-trust controls for contractors and IT staff with privileged access.
- Harden bridge and cross-chain monitoring: Deploy real-time heuristics for anomalous bridge flows, implement pre-transfer whitelists for high-value routes, and require multi-party approval for large outbound transfers.
- Layer analytics and provenance tagging: Combine on-chain tracing with behavioral flags (long-duration account changes, sudden fee-pattern shifts) and block suspicious sequences before they aggregate.
- Broaden AML coverage: Incorporate monitoring of non-English OTC channels and Chinese-language laundering services into watchlists; prioritize SIP and sanctions feeds that include bridge addresses and mixer protocols.
- Operationalize recovery playbooks: Maintain rapid-response for chain freezes, coordinated disclosure with exchanges, and legal pathways for asset recovery that account for multi-jurisdictional laundering chains.
Chainalysis’ 2025 findings underscore that technical exploits are now routinely paired with human-led intrusion and cross-chain laundering, forcing a shift from perimeter defense to integrated people-process-technology controls. Chainalysis records North Korea’s cumulative crypto thefts at approximately $6.75 billion.