North Korea “industrializes” crypto thefts as losses hit billions
State-sponsored criminals from North Korea have stolen at least $1.4-2 billion of crypto assets this year alone, blockchain analysts claim, pointing to strengthening trends in how these threat actors operate.
North Koreans are responsible for $2 billion in losses (51% more than in 2024) out of $3.4 billion stolen this year, according to Chainalysis, while TRM Labs' data shows that well over half of the $2.7 billion stolen in 2025 can be attributed to the Kim Jong Un-controlled regime.
"Overall, 2025’s numbers bring the lower-bound cumulative estimate for crypto funds stolen by the DPRK [Democratic People’s Republic of Korea] to $6.75 billion," Chainalysis said, adding that DPRK continues to undertake significantly higher-value attacks than other threat actors.
The analysts also noted that the criminals have flipped their earlier "IT worker" model on its head and, instead of embedding themselves as employees, are increasingly impersonating recruiters for prominent web3 and AI firms to harvest credentials, source code, and VPN or single sign-on (SSO) access to the victim’s current employer.
"The DPRK is achieving larger thefts with fewer incidents, often by embedding IT workers inside crypto services or using sophisticated impersonation tactics targeting executives," Chainalysis concluded.
Meanwhile, according to TRM Labs, North Koreans have industrialized theft in the crypto market.
"North Korea has moved from opportunistic hacks to an industrialized supply chain: sourcing initial access from social engineering specialists, extracting funds via infrastructure attacks, and liquidating assets through a subcontracted network of Chinese shadow bankers," the analysts said, adding that these operations now function as a structured, state-directed revenue system.
These criminals have not only graduated to larger targets, moving from decentralized bridges to the centralized giants of the crypto economy, but have also refined their methods. The point of entry overwhelmingly remains the human layer, and, once inside, the criminals aim to obtain control over the systems that authorize withdrawals, TRM Labs said.
After the heist, the laundering process has become more complicated, as the stolen assets immediately fracture into a sequence of hops through different blockchains before vanishing into a service-based ecosystem and entering the "Chinese Laundromat," or various China-based entities offering money laundering services.
Overall, besides the North Korean threat, Chainalysis has also warned that individual wallet compromises surged to 158,000 incidents (+192% vs. 2024), affecting 80,000 (+100%) unique victims in 2025, although the total value stolen ($713M) decreased by 44% from 2024.
"These dramatic increases are likely due to greater crypto adoption," the analysts suggested.
Meanwhile, improved security practices in the decentralized finance (DeFi) sector have likely helped keep hack losses suppressed in 2024-2025, despite the sector's growth.
Unlock more exclusive Cybernews content on YouTube.
