A new Chainalysis report details how a handful of large-scale incidents and evolving laundering methods defined crypto crime trends in 2025.
North Korea-linked hackers stole at least $2.02bn in cryptocurrency in 2025, according to new analysis from blockchain intelligence firm Chainalysis, marking a 51% year-on-year increase and pushing the group’s estimated all-time total to $6.75bn.
The findings form part of Chainalysis’ latest research into crypto theft patterns in 2025, a year it says saw more than $3.4bn stolen across the ecosystem. Chainalysis attributed much of that total to a small number of major breaches, led by the February compromise of crypto exchange Bybit, which it said accounted for $1.5bn of losses.
While the overall theft figure is large, Chainalysis’ analysis focuses on how concentrated the losses have become. The firm said the gap between the largest theft and the “typical” incident widened sharply in 2025, with the ratio between the biggest hack and the median incident exceeding 1,000 times for the first time in its dataset.
It also said the top three hacks accounted for 69% of service losses in 2025, underlining the extent to which a handful of events shaped the annual total.

‘Fewer incidents, larger thefts’
Chainalysis said the Democratic People’s Republic of Korea (DPRK) remained the dominant nation-state threat actor in crypto theft, despite what it described as a reduction in confirmed incidents.
In its assessment, the group’s 2025 performance reflected a shift towards fewer, higher-impact compromises, including tactics such as embedding IT workers inside crypto services and impersonating recruiters or investors to gain access to systems or credentials.
The Bybit breach has also been linked to North Korea by US authorities. In February 2025, Reuters reported that the FBI attributed the theft to North Korean cyber actors, stating that stolen assets were being converted and dispersed across multiple blockchain addresses.
Laundering routes and timelines
Chainalysis said its review of on-chain activity following DPRK-attributed thefts points to a structured laundering pattern, typically unfolding over roughly 45 days. It described an initial phase dominated by “layering” activity, followed by a transition period involving exchanges and cross-chain bridges, before a longer “integration” phase where flows move through a wider set of services.
The firm also highlighted what it characterised as DPRK preferences for Chinese-language money laundering networks and “guarantee” services, alongside bridge and mixing services. By contrast, it said other stolen-funds actors tended to interact more heavily with decentralised exchanges and peer-to-peer venues.
Beyond state-linked thefts, Chainalysis reported a surge in personal wallet compromises in 2025, estimating 158,000 incidents affecting at least 80,000 unique victims. However, it said the total value stolen from individuals fell to $713m, down from the prior year, suggesting a greater volume of lower-value thefts.
DeFi divergence
Chainalysis also pointed to a divergence in decentralised finance, noting that while DeFi total value locked recovered across 2024–2025, losses from DeFi hacks did not rise in parallel.
As an example of faster detection and response, Chainalysis referenced a September 2025 incident involving Venus Protocol, where it said monitoring tooling identified suspicious activity and the protocol was paused, limiting losses.