Grafa logo

North Korea linked to majority of 2025 crypto theft losses

Written by John DowPublished Dec. 24 2025Last Updated Dec. 24 2025

North Korea-linked hacking groups were responsible for more than half of the $2.7 billion stolen in cryptocurrency hacks during 2025, according to a new report from blockchain intelligence firm TRM Labs.

TRM Labs said the attackers increasingly targeted the operational infrastructure of major crypto exchanges rather than exploiting smart contract vulnerabilities.

The report highlighted a strategic shift towards hot wallet breaches, private key theft, multi-signature signer compromises and third-party system takeovers.

TRM noted that these infrastructure attacks often create single points of failure capable of generating losses in the hundreds of millions of dollars.

Researchers said the approach represents a move upstream from decentralised finance bridges to centralised exchanges and custodial platforms.

Several high-profile hacks between 2023 and 2025, including attacks on:

Atomic Wallet,
CoinsPaid,
Alphapo,
Stake.com and
CoinEx, were attributed to North Korean actors.

TRM said these targets were chosen due to their greater susceptibility to social engineering and traditional web-based supply chain attacks.

In earlier years, North Korean hackers focused on cross-chain bridges such as Ronin and Horizon by compromising validator key holders.

By 2023, the campaign expanded to service providers and developers linked to major trading platforms.

Initial access was often obtained through fake recruiters, stolen LinkedIn credentials or malicious coding tests containing malware.

TRM observed similar access patterns in the Bybit and DMM Bitcoin breaches, reinforcing concerns over compromised developer environments.

The firm described this exposure as a “code to custody” risk, where developer access can lead directly to exchange withdrawal systems.

The report said laundering methods have also evolved significantly in response to global sanctions.

After actions against mixers such as Tornado Cash and Sinbad, laundering activity fragmented across multiple chains and platforms.

Funds were routed through bridges, gambling services and rebranded tools before moving off-chain.

TRM identified a network of Chinese over-the-counter brokers facilitating final cash-outs

Stablecoins were frequently used as intermediaries before settlement in yuan, goods or payments to front companies.

TRM concluded that exchanges must integrate cyber security and anti-money-laundering systems to counter these threats.

At the time of reporting, TRON price was $0.2822.