Crypto-related cybercrime linked to North Korea reached unprecedented scale in 2025.
Data released by Chainalysis shows that hacking groups linked to the Democratic People’s Republic of Korea were responsible for the theft of $2.02 billion in digital assets during the year, the highest annual total on record.
This figure represents a sharp increase from 2024, with losses increasing by $681 million year over year.
Long-term trend shows acceleration, not spikes
Over the period 2016-2025, the data reveals a clear evolution. The early years show relatively limited activity, followed by rapid expansion during major crypto growth cycles. Although there have been temporary pullbacks, the broader trajectory is pointing upward.
In 2025, annual losses exceeded the $2 billion threshold for the first time. This is not due to a single anomaly, but to repeated large-scale violations.
Dominance in Global Crypto Hacks
The most striking change is not only in the total value stolen, but also in North Korea’s growing share of global hacks of crypto services. Data from Chainalysis indicates that DPRK-linked actors now account for a larger share of total global compromises than at any time in the last decade.
This reflects increasing concentration. Fewer actors are responsible for a greater share of total losses, suggesting increasing sophistication and operational efficiency.
2025 marks a radical change in activity
The jump from 2024 to 2025 is remarkable. The additional $681 million in losses indicate larger attacks and sustained campaigns rather than isolated incidents. Targets increasingly included high-value centralized services, bridges, and custom platforms.
The model indicates scalability, not opportunistic theft.
What the numbers ultimately show
The data highlights a critical reality for the crypto industry. As infrastructure increases in value and complexity, state-linked threat actors evolve alongside it. Security risk is no longer purely technical or financial. It’s geopolitical.
With 2025 now the worst year on record for DPRK-linked cryptocurrency theft, the numbers serve as a benchmark for both regulators and platforms. The threat environment is intensifying rather than stabilizing, and security assumptions based on past cycles may no longer be sufficient.
