North Korean hackers will steal $2.02 billion in 2025, with a 45-day money laundering cycle revealing their operational patterns.

In 2025, the cryptocurrency industry faces unprecedented threats. According to the annual hacker attack report by blockchain security analysis firm Chainalysis, despite a 74% decrease in known attack incidents by North Korean hacker groups, the scale of fund theft has hit a record high. Behind this “small but precise” attack pattern lies a clear operational cycle—a full process from theft to money laundering takes an average of about 45 days. This cycle has become a crucial clue for uncovering North Korea’s financial flows.

In 2025, the crypto industry loses $3.4 billion, with record-breaking attack scale

From January to December 2025, the crypto industry suffered theft losses exceeding $3.4 billion. Notably, a single incident had an unprecedented impact on annual losses— the top three hacker attacks accounted for 69% of all losses. Most shocking was a February attack on the Bybit exchange, which resulted in $1.5 billion in losses, representing the absolute proportion of stolen funds for that month.

The sources of these stolen funds show new characteristics. While the number of personal wallet thefts surged to 158,000 (a new high since 2022), the proportion of personal wallet thefts in total losses decreased due to the massive scale of the Bybit incident. Meanwhile, attacks targeting centralized services became increasingly destructive—although such intrusions are infrequent, attacks on centralized services in the first quarter of 2025 caused 88% of the quarter’s total losses.

The most concerning data point is that the gap between the largest-scale hacker attack and the median of all incidents has exceeded 1,000 times for the first time. In other words, the largest theft involved 1,000 times more funds than an average incident, a scale disparity that even surpasses the peak of the 2021 bull market.

North Korea accounts for 76% of attacks alone; known attacks decrease but theft hits new high

Behind all this, North Korean hacker groups remain the biggest threat to the crypto industry. This state-level attack force stole at least $2.02 billion in cryptocurrencies in 2025, a 51% increase from $1.339 billion in 2024, setting a record high. Since 2022, North Korean hacker groups have stolen a total of $6.75 billion in crypto funds.

Strangely, this record theft amount was achieved despite a significant reduction in known attack incidents. North Korean hackers accounted for 76% of all intrusion events (a new high), yet the frequency of individual attacks decreased. This indicates a fundamental shift in their attack strategy—they are prioritizing quality over quantity.

North Korean hackers have evolved multi-layered infiltration methods. Initially, they gained privileged access by implanting IT personnel within crypto services. In recent years, this approach has been replaced by more sophisticated social engineering attacks. They impersonate recruiters from well-known Web3 and AI companies, carefully designing fake recruitment processes to trick victims into revealing login credentials, source code, or even VPN or SSO access rights.

At the senior management level, North Korean hackers use more covert tactics—posing as strategic investors or acquirers, probing sensitive system information and high-value infrastructure through investment pitches and fake due diligence. This precise targeting explains why they achieve larger thefts with fewer attacks—they focus on large services and critical nodes.

Dissecting North Korea’s money laundering operations: a special “segmentation” strategy and a 45-day laundering cycle

Unlike other cybercriminals, North Korean hackers have a unique and structured money laundering pattern. Their laundering activities exhibit a clear “segmentation” feature—over 60% of transactions are concentrated below $500,000, contrasting sharply with other hackers who typically split 60% of funds into batches ranging from $1 million to $10 million.

They also show a strong preference for certain laundering services. They heavily rely on Chinese capital transfer and escrow services (over 355% to 1000% higher than other hackers), indicating close ties with illicit financial networks in the Asia-Pacific region. Additionally, they depend heavily on cross-chain bridge services (97% higher) to transfer assets across different blockchains, increasing traceability difficulty, and frequently use mixing services (over 100% higher) to obscure fund flows. The use of professional tools like Huione is also 356% higher.

Interestingly, North Korean hackers tend to avoid using lending protocols (less than 80% of other hackers), non-KYC exchanges (less than 75%), and P2P platforms (less than 64%). This pattern suggests their operations are constrained by different factors compared to typical cybercriminals—they need to coordinate with specific intermediaries, and their channels are relatively fixed.

From 2022 to 2025, data over four years shows that after large-scale thefts, the flow of funds follows a highly structured cycle, typically lasting about 45 days. This laundering cycle can be divided into three distinct phases:

Phase 1: Urgent Layering (Days 0-5) — In the initial days after theft, abnormal active trading is observed. DeFi protocols become the main destination for stolen funds, with transaction volumes increasing by 370%; mixing services also see a rapid increase of 135-150%. The goal of this phase is to quickly disconnect stolen funds from their original source.

Phase 2: Initial Integration (Days 6-10) — After the second week, funds begin flowing into services that help them integrate into broader ecosystems. Exchanges with fewer KYC restrictions and centralized exchanges (CEXs) start receiving funds (up 37% and 32%, respectively). A second round of mixing services continues, and cross-chain bridges (e.g., XMRt) assist in dispersing funds across multiple chains (up 141%). This is a critical period for transferring funds toward final exit points.

Phase 3: Long-tail Integration (Days 20-45) — The final stage shows a clear tendency toward services capable of converting funds into fiat currency. Usage of non-KYC exchanges (up 82%) and escrow services (up 87%) increases significantly; instant exchanges (up 61%) and Chinese platforms like HuiWang (up 45%) become the final conversion points. Platforms in jurisdictions with weaker regulation (up 33%) also participate, completing the laundering network.

This average 45-day cycle provides valuable intelligence for law enforcement and compliance teams. North Korean hackers tend to follow this timeline, possibly reflecting their operational constraints in accessing financial infrastructure and coordinating with specific intermediaries. Although some stolen funds enter dormancy for months or years, this cyclical pattern during active laundering offers a crucial window for tracking.

Personal wallet breaches: 158,000 thefts reveal ecosystem risks

In 2025, personal wallet thefts surged to 158,000 incidents, nearly tripling from 54,000 in 2022. The number of victims increased from 40,000 in 2022 to at least 80,000 in 2025. This large-scale attack wave targeting individual users is closely related to the widespread adoption of cryptocurrencies. For example, Solana, known for its active personal wallets, has about 26,500 victims.

However, somewhat reassuring is that despite the surge in incidents and victims, the total amount stolen from personal victims decreased from a peak of $1.5 billion in 2024 to $713 million in 2025. This indicates attackers are “casting a wider net” but “fishing smaller”—more targeted users, but with reduced losses per victim.

The risk distribution across blockchains is uneven. Based on theft rates per 100,000 active wallets, Ethereum and Tron have the highest rates, especially Tron, which, despite a smaller user base, shows an abnormally high theft rate. In contrast, platforms like Base and Solana, with large user bases, exhibit lower victimization rates. This variation suggests that, beyond technical architecture, factors such as user demographics, popular application ecosystems, and local criminal infrastructure influence theft risk.

DeFi fund reflows but improved security—2025 shows a reversal

In 2025, DeFi security data reveals a striking divergence from historical trends.

Over the past four years, three distinct phases are observed: the expansion period (2020-2021), where total value locked (TVL) and hacker attack losses grew in tandem; the downturn period (2022-2023), where both metrics declined; and a new divergence phase (2024-2025)—TVL has rebounded significantly from 2023 lows, but losses from hacker attacks remain unexpectedly low.

Following Willie Sutton’s logic—“he steals from banks because that’s where the money is”—one might expect that rising DeFi TVL would lead to increased attack losses. Yet, the opposite is happening in 2024-2025—billions of dollars are flowing back into these protocols, while attack losses stay low.

This phenomenon can be explained by two factors: first, actual security improvements—despite rising TVL, attack rates continue to decline, indicating DeFi protocols are implementing more effective security measures than before; second, shift in attack targets—the simultaneous increase in personal wallet thefts and centralized service attacks suggests cybercriminals are shifting focus away from DeFi protocols toward easier targets.

Venus protocol’s successful self-defense: halting $13 million loss in 20 minutes

The September 2025 incident involving Venus Protocol vividly demonstrates how improved security defenses can turn the tide. Attackers gained system access via compromised Zoom client, then tricked a user into granting authorization for an account holding $13 million. This could have been disastrous.

However, Venus had launched the Hexagate security monitoring platform a month earlier. The platform detected suspicious activity 18 hours before the attack and issued an alert during malicious transactions. Within just 20 minutes, Venus paused protocol operations, completely halting fund outflows.

The response was even faster afterward: security checks completed within 5 hours, partial functionality restored; within 7 hours, the attacker’s wallet was forcibly liquidated; within 12 hours, all stolen funds were recovered, and services fully restored. Most critically, Venus used governance voting to freeze the attacker’s remaining $3 million assets, preventing profit and causing losses instead.

This case exemplifies a substantive evolution in DeFi security infrastructure. Combining proactive monitoring, rapid response, and effective governance makes the ecosystem more agile and resilient. Although attacks still occur, the ability to detect, respond, and even reverse attacks has fundamentally changed—from “successful attack often means permanent loss” to “attacks can be stopped or reversed in real time.”

Future threats and response cycles

The 2025 data paints a complex picture of North Korea as the top threat to the crypto industry. While attack frequency has decreased, each attack’s destructive power has increased significantly, indicating more sophisticated and patient tactics. The impact of the Bybit incident on the annual cycle suggests that when North Korea successfully executes major thefts, it reduces operational tempo and focuses on long-cycle fund laundering.

For the crypto industry, this evolution demands continuous vigilance over high-value targets and enhanced ability to identify North Korea’s specific money laundering patterns. Their persistent preferences for certain service types and transfer amounts provide opportunities for detection, enabling investigators to distinguish their on-chain activity from other criminals and track their operations.

The record growth in North Korea’s activity in 2025—achieving the highest theft amount despite a 74% reduction in known attacks—may only be the tip of the iceberg. The key challenge in 2026 is how to detect and prevent similar-scale attacks like Bybit before they happen again. Understanding their 45-day laundering cycle is crucial for law enforcement and security teams to gain a strategic advantage.