North Korea's crypto thieving went into overdrive in 2025, with one firm estimating it's responsible for roughly 60% of the $3.4 billion stolen in total

North Korea has long been accused of being a major state sponsor of cybercrime, and new research from the crypto firm Chainalysis puts an eye-watering figure on the scale of these thefts in 2025: it estimates that the regime's cybersquads plundered just over $2 billion of crypto and tokens.

Chainalysis puts this down as a 51% increase year-on-year for North Korea, and if accurate that would mean North Korea accounted for just under 60% of all global cryptocurrency theft, estimated at $3.4 billion in 2025. A major factor here was the February 2025 attack on Bybit, which the FBI attributed to North Korea, saying it made off with roughly $1.5 billion worth of digital assets.

"This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76 percent of all service compromises," says the Chainalysis report.

North Korean hackers have also stepped up their targeting of individuals, and were behind approximately 160,000 personal wallet attacks over the course of the year, stealing from around 80,000 people. They seem to have some favourite hunting grounds, too, with 26,500 victims having wallets connected to the Solana blockchain platform.

"The country's record-breaking 2025 performance—achieved with 74 percent fewer known attacks—suggests we may be seeing only the most visible portion of its activities," says Chainalysis. "The challenge for 2026 will be detecting and preventing these high-impact operations before DPRK-affiliated actors inflict another Bybit-scale incident."

These figures take the total of North Korea's cyberhaul over the years to an incredible $6.75 billion. Obviously all of the above should be caveated with the reality that crypto value can fluctuate wildly, and $6.75 billion in crypto assets is not $6.75 billion in cash, but whatever the true value… Kim Jong-Un's cybergoons are making off like bandits.

The way that assets are subsequently laundered is dizzying. Crypto firm Elliptic calls it a "cat-and-mouse" game between the hackers and those chasing the money, and gives the following rundown of what happened with the $1.5 billion obtained from the ByBit hack:

• Multiple rounds of mixing and cross-chain transactions
• Using obscure blockchains with limited analytics coverage
• Reducing costs by purchasing utility tokens of specific protocols
• Exploiting “refund addresses” to redirect assets to fresh wallets
• Creating and trading tokens issued directly by laundering networks

The crypto hacking sits alongside North Korean attempts to infiltrate and compromise Western companies with bogus IT workers, as in this recent example involving Amazon, with 2025 seeing a new prong to the strategy:

"At the executive level, a similar social‑engineering playbook appears in the form of bogus outreach from purported strategic investors or acquirers, who use pitch meetings and pseudo–due diligence to probe for sensitive systems information and potential access paths into high‑value infrastructure—an evolution that builds directly on the DPRK's IT worker fraud operations and their focus on strategically important AI and blockchain companies."

By any metric, North Korea is an economic basket case and one of the most isolated countries in the world. The importance of this crypto fraud has to be seen in that context, with the United Nations estimating such activity now accounts for 13% of North Korea's GDP.