North Korean hackers set a record in 2025 by stealing $2 billion in cryptocurrency; 45-day money laundering scheme exposed

Chainalysis, a blockchain analysis company, latest report reveals that North Korea-linked hackers stole at least $2 billion in cryptocurrency in 2025, setting a record high, representing a 51% increase year-over-year, with total thefts reaching $6.75 billion. The attack patterns show a “less but more precise” characteristic; despite fewer incidents, each attack is massive, with 76% of service-layer attacks attributed to them. The March incident involving a $1.4 billion vulnerability at Bybit is a major driver.

The report systematically depicts North Korean hackers’ unique money laundering pathways for the first time: relying on Chinese service providers and mixers, following a typical 45-day fund laundering cycle. This marks the crypto industry facing a “super threat” supported by states, highly organized, and well-funded, posing unprecedented challenges to the security and compliance cooperation of global exchanges and protocols.

Record-breaking theft scale: from “broad net” to “precise hunting”

In 2025, a disturbing turning point emerged in the cryptocurrency theft domain: total global thefts surged to $3.4 billion, with nearly two-thirds attributed to a single actor—North Korea-related hacking groups. According to Chainalysis’s authoritative report, these hackers stole at least $2.02 billion in 2025, a 51% increase over 2024 and nearly 6.7 times the level of 2020. More critically, this record was achieved amid a significant decrease in known attack incidents, highlighting a tactical shift from frequent harassment to targeted, surgical strikes on high-value targets.

This “less but bigger” pattern is vividly reflected in the data. The report states that North Korean hackers were responsible for 76% of service-layer intrusions in 2025, the highest ever. “Service layer” mainly refers to centralized exchanges (CEX), custodians, and platforms holding large amounts of user assets. The most representative incident is the $1.4 billion attack on Bybit in March 2025, which accounts for the majority of North Korea hackers’ total thefts that year. Andrew Fierman, head of national security intelligence at Chainalysis, commented: “This evolution is a continuation of a long-term trend. North Korean hackers have demonstrated high complexity over time, and their actions in 2025 highlight ongoing evolution in tactics and preferred targets.” This indicates that attackers are pursuing maximum risk-reward ratios, concentrating resources on single targets capable of delivering disruptive returns.

This shift poses a structural threat to the crypto ecosystem. When attackers target core, systemically important service platforms, their success not only causes huge financial losses but also severely undermines market confidence, triggering chain reactions of trust crises and regulatory scrutiny. Unlike small-scale thefts from individual wallets, such attacks threaten the very infrastructure of the industry.

Engineering money laundering: revealing the 45-day fund “cleaning” pipeline

Stealing is only the first step; how to launder “dirty money” and ultimately cash out is the key to the hackers’ operational cycle. Another core contribution of the Chainalysis report is a clear outline of North Korean hacking groups’ highly professionalized and engineered money laundering model, which differs significantly from ordinary cybercrime groups’ laundering behaviors.

First, in terms of fund transfer strategies, North Korean hackers exhibit strong anti-investigation awareness. They tend to split large stolen sums into small batches under $50,000 for on-chain transfers, with over 60% of transfers controlled within this threshold. In contrast, non-state hackers prefer large transfers in the hundreds of thousands or millions of dollars. This “divide and conquer” approach greatly increases the complexity and cost of on-chain tracking, indicating increasingly sophisticated operational security (OPSEC).

Second, their service preferences reveal geopolitical dependencies and specific constraints. North Korean hackers heavily utilize Chinese escrow services, brokers, and OTC networks, and rely heavily on cross-chain bridges and mixers (such as Tornado Cash) to obfuscate fund flows. Interestingly, they rarely engage with other common criminal DeFi lending protocols and decentralized exchanges (DEX). Chainalysis points out that these patterns suggest North Korean actors are constrained differently and are deeply tied to specific illegal service networks in the Asia-Pacific region, possibly due to their historical isolation from the global mainstream financial system.

North Korean hackers’ 45-day money laundering standard process

Stage 1: Rapid Obfuscation (Days 0-5)

• Main goal: Immediately sever the direct link between stolen funds and source addresses.
• Main tools: Mixers, DeFi protocols (for quick asset type conversion).
• Purpose: Create initial tracking barriers and buy time for subsequent operations.

Stage 2: Integration and Diffusion (Days 6-20)

• Main goal: Transfer funds into broader ecosystems to pave the way for cashing out.
• Main tools: KYC-relaxed centralized exchanges, cross-chain bridges, secondary mixing services.
• Purpose: Transfer across different chains, assets, and platforms, further obfuscating the path, and beginning to approach potential exit channels.

Stage 3: Final Cash-out (Days 21-45)

• Main goal: Convert crypto assets into fiat or other hard-to-trace forms.
• Main tools: Non-KYC exchanges, instant exchange platforms, Chinese OTC services, and re-mixing into mainstream CEXs to combine legitimate trading flows.
• Purpose: Complete the final step of money laundering, realizing the economic value of theft.

Tactical revolution: AI empowerment and “internal infiltration” as new weapons

Achieving such large-scale thefts and efficient money laundering cannot be fully explained by traditional technical means alone. Chainalysis reports and industry clues indicate that North Korean hackers may be undergoing a “tactical revolution” in two aspects, gaining asymmetric advantages.

First is the deep application of artificial intelligence (AI). Andrew Fierman explicitly stated to the media that North Korea is using AI as its “superpower” in hacking operations, especially in laundering. He said: “North Korea promotes the cleaning of stolen crypto funds with consistency and fluidity, which suggests the use of AI. The structural mechanisms and operational scale of laundering create workflows that combine mixers, DeFi protocols, and cross-chain bridges… To efficiently steal such large amounts of crypto, North Korea needs a vast laundering network and streamlined mechanisms to facilitate cleaning, which could be in the form of AI applications.” AI can be used to automatically generate and switch wallet addresses, optimize transaction paths to evade detection models, and even simulate normal user behavior to blend into exchanges, greatly increasing countermeasures’ difficulty.

Second is an unprecedented “personnel infiltration” attack vector. The report states that North Korean hackers are inserting operatives into technical roles at crypto companies (such as exchanges, custodians, Web3 firms) to gain privileged access. In July this year, well-known on-chain investigator ZachXBT revealed that personnel linked to North Korea may have infiltrated 345 to 920 positions across the global crypto industry. This “Trojan horse” style attack can internally undermine the most robust external security defenses, opening backdoors for large-scale fund transfers. Additionally, hackers impersonate employers or industry contacts, using forged video conferences for spear-phishing, which has already stolen over $300 million this year. The combination of these tactics means defenders face not only code vulnerabilities but also human and trust weaknesses.

Outlook for 2026: the ultimate challenge of industry collaboration

Facing an adversary with state resources, continuous evolution, and reckless behavior, the crypto industry will face the ultimate security test in 2026. Chainalysis issues a clear warning: as North Korea increasingly relies on crypto theft to fund national priorities and evade international sanctions, industry must recognize that this threat actor’s logic and constraints differ fundamentally from ordinary cybercriminals.

Future attack vectors may become more diverse. While large centralized exchanges like Bybit and Upbit remain high-value targets, long-standing DeFi protocols (such as Balancer and Yearn, mentioned in the report) may also come into focus. Fierman emphasized: “Although we cannot predict exactly what will happen in 2026, we know North Korea will seek to maximize its target returns—meaning service providers with substantial reserves must maintain high security standards to avoid becoming the next vulnerability.”

Addressing this challenge, isolated efforts by individual organizations are insufficient. The report calls for establishing a rapid, industry-wide coordinated response mechanism. Fierman commented: “North Korea executes rapid and effective money laundering strategies. Therefore, a quick, cross-sector response is needed. Law enforcement and private sectors, from exchanges to blockchain analysis firms, must coordinate effectively, intercepting any opportunities when funds pass through stablecoins or reach exchanges where funds can be frozen immediately.” This includes real-time threat intelligence sharing, joint blacklisting of suspicious addresses across platforms, and closer judicial cooperation with global law enforcement.

For ordinary investors, this report is a strong risk reminder: the systemic risk of holding large assets on centralized services (even top-tier platforms) is increasing. Using hardware wallets for self-custody, diversifying assets, and maintaining high vigilance against unverified communications will become essential security habits. In 2026, the defensive and offensive battles between the crypto world and state-level hackers will intensify.