North Korea’s yearly cryptocurrency thefts have accelerated, with Kim’s state-backed cybercriminals plundering just over $2 billion worth of tokens in 2025.
That’s according to research from blockchain biz Chainalysis, whose experts say that the figure represents a 51 percent increase year-on-year, and a huge proportion of the $3.4 billion that was stolen in total, globally.
“This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76 percent of all service compromises,” the company’s report noted.
A major influencing factor on the steep rise is North Korea’s February attack on Bybit, which netted around $1.5 billion worth of digital assets.
Another reason for this rise is the state’s increased targeting of personal wallets, representing nearly half (44 percent) of the total value. In 2022, this accounted for just 7.3 percent of the country’s efforts.
North Korea was responsible for around 158,000 individual wallet attacks this year, affecting 80,000 unique individuals.
Chainalysis said this is likely due to the heightened interest in cryptocurrency investing. It cited Solana as one example, with attacks on Solana-connected wallets amounting to 26,500 victims.
Overall, Kim’s cronies cemented themselves as the dominant force in cryptocurrency thefts in 2025, taking the total value of their raids to an estimated $6.75 billion since researchers began tracking them.
Chainalysis said: “The country’s record-breaking 2025 performance – achieved with 74 percent fewer known attacks – suggests we may be seeing only the most visible portion of its activities. The challenge for 2026 will be detecting and preventing these high-impact operations before DPRK-affiliated actors inflict another Bybit-scale incident.”
Subverting the IT worker model
North Korea was responsible for a record 76 percent of attacks on centralized services this year. It accomplished this feat through private key compromises and continued attempts to embed skilled individuals into cryptocurrency services companies.
The country’s effort to infiltrate Western companies with fake IT workers is well-known, but this year North Korea’s IT army has shifted from securing positions to posing as recruiters for crypto and other types of web3 businesses.
In doing so, they have been able to run fake technical screenings, during which they gain access to and ultimately steal credentials and source code, and secure remote access into the networks where applicants currently work.
The report added: “At the executive level, a similar social‑engineering playbook appears in the form of bogus outreach from purported strategic investors or acquirers, who use pitch meetings and pseudo–due diligence to probe for sensitive systems information and potential access paths into high‑value infrastructure – an evolution that builds directly on the DPRK’s IT worker fraud operations and their focus on strategically important AI and blockchain companies.”
DeFi no more?
Researchers’ observations suggest that the country’s new focus on personal wallets and centralized services is replacing previous raids on decentralized finance (DeFi) protocols.
For those not in tune with the web3 lingo, DeFi protocols exist on blockchains and facilitate actions such as lending and borrowing using smart contracts, all without the need for intermediaries.
These smart contracts typically hold vast amounts of a blockchain’s assets. Exploiting a vulnerability in one can grant attackers full control over the total pot, and allow them to pay themselves via an irreversible transaction.
Another term to understand is total value locked (TVL). This refers to the sum of all assets deposited by users – the bigger the TVL, the bigger the potential pool of assets attackers can steal through smart contract vulnerabilities, for example, and the more tempting they are.
But Chainalysis said that activity in 2024 and 2025 started to show divergence from this trend. TVLs grew during this period, but attacks targeting protocols fell, suggesting DeFi security standards are improving and thus discouraging attackers.
DeFi attacks are still causing headaches in the web3 space. Lucrative raids from the past year have included those on Garden and Balancer, but the TVL to total losses ratio is way down. ®