Full Report
Of the $3.4 billion in crypto stolen from January to December, Chainalysis attributed at least $2.02 billion to North Korean hackers.
Analysis Summary
# Threat Actor: North Korean State-Sponsored Hackers (DPRK)
## Attribution & Identity
**Attribution:** North Korea (DPRK).
**Known Aliases and Associated Groups:** Implied association with state intelligence apparatus exploiting the **parallel IT worker campaign**.
## Activity Summary
In 2025 (January to December), North Korean hackers were responsible for stealing an estimated **$2.02 billion** of the total $3.4 billion stolen from the cryptocurrency industry (responsible for 76% of all crypto service compromises by value stolen). This figure represents an increase of $681 million compared to their estimated 2024 thefts. The year was characterized by a focus on a smaller number of highly lucrative attacks targeting centralized services for large private key compromises.
**Specific Incidents Mentioned:**
* Theft of **$1.5 billion** from Dubai-based platform Bybit in February 2025.
* Theft of **$30 million** from crypto platform Upbit, as accused by South Korean officials two weeks prior to the report publication.
Since Chainalysis began tracking figures in 2022, North Korea has stolen a cumulative total of **$6.75 billion** in crypto assets.
## Tactics, Techniques & Procedures
* **Social Engineering:** Primary attack vector, often involving posing as IT workers or recruiters to build trust and gain system access.
* **Insider Threat/Employment Ploy:** Utilizing the **parallel IT worker campaign** to place DPRK nationals surreptitiously within Western tech companies, crypto exchanges, custodians, and Web3 firms to steal information or implant backdoors for lateral movement.
* **Private Key Compromise:** Successfully targeting centralized services to steal private keys, granting full control over digital assets.
* **Supply Chain Exploitation:** Exploiting security vulnerabilities via third-party vendors (e.g., noted in the ByBit hack).
* **Laundering Methodology (DPRK Specific):** Laundering funds in smaller chunks (typically **$500,000**) compared to the usual cybercriminal range ($1M–$10M).
* **Laundering Infrastructure:** Utilizing mixers, DeFi protocols, blockchain bridges, and **no-KYC exchanges**.
* **Illicit Network Integration:** Heavy reliance on **underground informal Chinese money laundering networks** and use of Chinese-language platforms with weak compliance controls (e.g., Cambodian site Huione).
## Targeting
* **Sectors:** Cryptocurrency industry, specifically centralized crypto exchanges, custodians, and web3 firms.
* **Geography:** Attacks targeted global platforms; specific targets mentioned include Dubai-based Bybit and South Korean platform Upbit.
* **Victims:** Centralized services with significant cryptocurrency reserves.
## Tools & Infrastructure
* **Laundering Services:** Mixers, DeFi protocols, bridges, no-KYC exchanges.
* **Illicit Financial Networks:** Underground informal Chinese money laundering networks and Chinese-language platforms (e.g., Huione, which was recently sanctioned by U.S. officials).
* **Infiltration Vector:** Posing as IT workers, recruiters.
## Implications
North Korean crypto theft represents the most severe year on record, accounting for a significant majority (76% by value) of compromises against crypto services. This activity is a key revenue strategy used by Pyongyang to bypass cutting off from the global financial system, demonstrating sophisticated operational security and integration with illicit trans-regional financial networks (Asia-Pacific region).
## Mitigations
* **Supply Chain Vetting:** Enhanced security scrutiny and auditing of third-party vendors utilized by critical crypto infrastructure.
* **Insider Threat Mitigation:** Robust background checks and monitoring for personnel in sensitive IT and system administration roles, specifically recognizing the parallel IT worker campaign tactic.
* **Access Control:** Strict control over private keys and secrets on centralized platforms.
* **Transaction Monitoring:** Increased monitoring for funds being moved in smaller denomination patterns ($500,000 chunks) particularly when funds flow towards platforms with weak compliance mandates or known Chinese-language OTC services.
* **Vendor Due Diligence:** Increased scrutiny and risk assessment of compliance controls for associated financial service partners (e.g., exchanges, OTC desks) used for liquidity management.