North Korea’s $2B Payday: 2025 Crypto Theft Hits Record $3.4 Billion
North Korean hackers stole $2.02 billion in 2025, driving global crypto losses to a record $3.4 billion as tactics shift from code exploits to social engineering.
The 2025 numbers are in, and the security bill for the industry has arrived: $3.4 billion. According to the 2025 Crypto Crime Report released Friday by Chainalysis, this year marks the highest figure for stolen funds since 2022. But the headline number hides a darker geopolitical reality: nearly 60% of that total sits in Pyongyang.
The Lazarus Monopoly
North Korean hacker crews, specifically the Lazarus Group, were responsible for $2.02 billion in theft this year. That is a $681 million increase from 2024. State-backed actors have officially industrialized the exploit vector, achieving these record numbers with 74% fewer known attacks than in previous years. They aren’t spraying and praying anymore; they are headhunting.
The ratio between the largest hack and the median of all incidents crossed the 1,000x threshold for the first time.
This efficiency stems from a tactical pivot. While DeFi protocols spent 2024 hardening smart contracts, Lazarus shifted layers, moving from code to personnel. The report explicitly cites “embedding IT workers” inside crypto services and sophisticated social engineering of executives as the primary vectors. The Chainalysis data confirms this social layer is now the industry’s single largest point of failure.
The Bybit Skew
The 2025 data is heavily weighted by a single catastrophic event: the $1.4 billion Bybit hack in February. This incident alone accounted for 44% of the year’s total losses and nearly 75% of North Korea’s total haul. Without this outlier, the industry narrative would be radically different. DeFi losses actually contracted as security standards matured.
Centralized exchanges, however, are bleeding. The concentration of risk has returned to custody providers, where a single compromised key (or compromised engineer) yields ten-figure payouts.
Retail Wallet Drainers Surge
While nation-states targeted exchanges, automated drainers feasted on retail users. Individual wallet compromises surged to 158,000 incidents in 2025, affecting 80,000 unique victims. Although the total value stolen in these retail attacks ($713 million) dropped slightly from 2024, the volume of attacks indicates that wallet-draining malware has become a commodity service.
The divergence is clear: attackers have bifurcated. Advanced persistent threats (APTs) like Lazarus are dismantling centralized infrastructure, while script kiddies are farming retail signatures at scale. The middle ground. DeFi protocol exploits. is shrinking.
