North Korea has significantly refined its cryptocurrency hacking operations, shifting towards fewer but far more profitable attacks that increasingly target high-value platforms.
A preview of Chainalysis’ upcoming Crypto Crime 2026 report reveals that Pyongyang-linked hackers stole a record $2.02 billion in digital assets during 2025.
The annual total represents a 51 percent increase compared with the previous year, highlighting the regime’s deepening reliance on cybercrime to fund state priorities.
Analysts said the latest surge brings the cumulative value of cryptocurrency stolen by North Korean actors to approximately $6.75 billion since tracking began.
Despite a notable decline in the overall number of confirmed attacks, the total value of losses rose sharply due to several exceptionally large breaches.
The year’s data highlight a shift toward fewer but larger thefts — with the biggest three hacks alone accounting for a majority of all service losses.
Chainalysis said.
North Korean groups were responsible for nearly three-quarters of major cryptocurrency service compromises recorded globally in 2025.
The report notes that attackers pivoted away from loosely secured decentralised finance protocols and refocused on centralised exchanges and core infrastructure.
One of the most significant incidents was a $1.5 billion exchange breach in February, ranking among the largest single crypto thefts of the year.
Chainalysis identified distinctive laundering strategies employed by Pyongyang’s cyber units following major thefts.
Rather than moving funds in large batches, hackers frequently disperse stolen assets across numerous smaller transactions.
More than 60 percent of North Korea-linked transaction volumes involved transfers below $500,000, according to on-chain data.
This behaviour contrasts sharply with patterns observed among other illicit crypto actors, analysts said.
North Korean actors exhibit distinctive laundering preferences that differ materially from other threat groups — a behavioural footprint that compliance and detection systems can use to help identify suspicious flows.
Chainalysis stated.
Beyond technical exploits, the hackers increasingly combine social engineering tactics with sophisticated cyber intrusions.
In several cases, operatives impersonated recruiters or business partners to gain privileged access to internal systems.
Chainalysis warned that such blended methods make detection more challenging for exchanges and regulators.
The firm urged the crypto industry to adopt advanced, pattern-based surveillance tools rather than relying solely on transaction size or volume.
Detection efforts should prioritise not only known signatures but also evolving operational behaviour and laundering patterns unique to state-linked actors.
the report said.
Analysts cautioned that without adaptive defences, high-impact cyber breaches linked to state-sponsored groups are likely to persist globally.