Crypto Theft Hits $3.4B in 2025, North Korea Steals $2B

The 2025 theft figure was massively inflated by a single catastrophic incident: the compromise of the centralized exchange Bybit, which alone accounted for approximately $1.5 billion. This one breach had a distorting effect on the annual data, pulling the distribution of stolen funds sharply back toward centralized services. In the first quarter of 2025, centralized platforms represented 88% of stolen value, a statistic heavily influenced by the Bybit hack. This highlights a persistent, fundamental vulnerability for these services: private key security. While large-scale key compromises are rare, their consequences are severe, demonstrating that the concentration of assets in a few points of failure remains a critical systemic risk.

This incident underscores a broader, alarming trend identified by Chainalysis: the extreme concentration of risk in a handful of mega-breaches. For the first time, the ratio between the value of the largest hack and the median incident crossed the 1,000x threshold, surpassing even the extremes seen during the 2021 bull market. In practical terms, the top three hacks of 2025 accounted for 69% of all service-related losses. This data reveals a market where annual theft totals are increasingly dictated by a few outlier events, even as the size of the median hack grows more gradually with broader asset prices.

Beyond the sheer scale of losses, the most defining feature of 2025’s crypto crime landscape was the overwhelming dominance of a single geopolitical actor: North Korea (DPRK). DPRK-linked hackers stole at least $2.02 billion in cryptocurrency, a figure that represents a 51% year-over-year increase from 2024 and accounts for a record 76% of all service compromises. Remarkably, this massive haul was achieved despite an assessed reduction in the number of confirmed DPRK-attributed incidents, pushing the lower-bound cumulative estimate of cryptocurrency stolen by North Korea to $6.75 billion.

Chainalysis attributes this efficiency to a strategic evolution in North Korea’s tactics. The report points to Pyongyang’s growing reliance on embedded IT workers who infiltrate exchanges, custodians, and Web3 firms to secure privileged internal access long before executing a major breach. This method allows for more sophisticated, targeted attacks that yield far larger payouts per operation, moving beyond opportunistic smash-and-grab tactics to long-term, strategic compromise.

The Chainalysis report also provides rare insight into how North Korean operatives launder their unprecedented stolen sums. Despite stealing larger amounts, they tend to move funds on-chain in smaller tranches, with over 60% of volume transferred in amounts below $500,000. This tactic likely aims to avoid detection thresholds and complicate blockchain tracing. Their laundering activity shows strong preferences for specific tools: Chinese-language guarantee and money movement services, cross-chain bridges, mixing services, and other specialized platforms designed to obfuscate the trail of digital assets.

This detailed laundering behavior coincides with a meaningful structural change in where crypto losses are occurring over a longer timeline. Prior to 2025, a clear trend had emerged: personal wallet compromises grew from just 7.3% of total stolen value in 2022 to 44% in 2024. The Bybit hack temporarily reversed this trend, but the underlying shift toward more decentralized points of failure—like individual wallets—remains a significant concern alongside the persistent threat to centralized hubs. The data collectively paints a picture of a criminal ecosystem that has become more concentrated in its execution, more strategic in its planning, and increasingly driven by state-level geopolitical actors rather than independent criminal groups.