North Korean Hackers Net $2B in 2025; Bybit Breach Fuels Record Year
Chainalysis reports a record $2.02 billion stolen by DPRK hackers in 2025, with the massive Bybit breach accounting for nearly 70% of the total.
North Korean state-sponsored hackers successfully stole at least $2.02 billion in cryptocurrency throughout 2025, a 51% surge over the previous year, according to the 2026 Crypto Crime Report released today by Chainalysis. The unprecedented total was driven almost entirely by the massive $1.4 billion compromise of the Bybit exchange in February, signaling a strategic pivot by the DPRK toward fewer, higher-value targets.
The $1.4 Billion Outlier
While the number of individual DPRK-linked hacks actually declined, the average value per heist skyrocketed. The Chainalysis data confirms that the Bybit incident alone accounted for nearly 70% of the total haul. In that February 21 attack, hackers utilized a sophisticated social engineering campaign to compromise a cold wallet, manipulating the signing interface to mask malicious transactions.
Ethereum (ETH) struggled to find support today, slipping 4% to $2,840 as the market digested the scale of the vulnerability exposed in centralized custodial services.
The DPRK is achieving larger thefts with fewer incidents, often by embedding IT workers inside crypto services or using sophisticated impersonation tactics targeting executives.
Tactical Shift: IT Infiltration
The report highlights a disturbing evolution in tradecraft. Rather than relying solely on technical exploits of smart contracts (DeFi), North Korean operatives are increasingly infiltrating crypto firms physically and digitally. The primary vectors now include:
- IT Worker Embedding: Placing operatives in developer roles at exchanges and Web3 firms.
- Social Engineering: Highly targeted impersonation attacks on executives with access to multi-sig keys.
- “Masked” UIs: Tools that display legitimate transaction data on-screen while signing malicious payloads in the background.
The 45-Day Wash Cycle
Chainalysis analysts identified a rigid laundering pattern for these stolen assets. Major thefts typically undergo a 45-day obfuscation window. Funds move through a predictable sequence: immediate dispersion, conversion to USDT or TRON, and finally, integration into the fiat economy via Chinese-language OTC brokers. Unlike other threat actors, DPRK groups have largely abandoned DeFi mixers in 2025, preferring centralized services that can handle volume without slippage.
With Bitcoin trading flat at $86,800 and market sentiment reading “Extreme Fear” (17/100), the report serves as a stark reminder that institutional custody remains the sector’s single largest failure point.
