**Crypto Theft in 2025: North Korean Hackers Continue to Dominate**

When it comes to cryptocurrency-related targets, North Korean hacking groups have been making their mark, with a new report from Chainalysis revealing that they are increasingly aiming for large services where a single breach can move serious money. The report highlights the growing threat of crypto theft in 2025, with North Korean hackers stealing an astonishing $2.02 billion in cryptocurrency, representing a staggering 51% year-over-year increase.

This brings their all-time total to a whopping $6.75 billion, despite fewer attacks. For years, North Korean hacking groups have been using tactics such as placing IT workers inside target companies under fake identities, earning salaries that flowed back to the regime and gathering internal knowledge. However, there has been a notable shift in this approach.

Instead of trying to get hired, North Korean hackers are increasingly attempting to trick employees who already work at or lead valuable companies. They pose as recruiters for well-known web3 or AI firms and reach out to engineers and developers with job offers. The targets are guided through a fake hiring process that feels real enough to pass a quick gut check, often ending with a technical interview.

During this stage, the victims are asked to run code, specific tools, or open documents, which compromise their machines and allow the hackers to grab credentials, source code, or access corporate VPNs and systems of their current employers. Another tactic aims higher up the organization's chart: executives are contacted by people claiming to be investors or potential buyers.

These conversations can stretch over weeks and include pitch meetings and fake due diligence. The attackers ask detailed questions about systems, security practices, and internal workflows. Piece by piece, they learn how high-value infrastructure is set up and where access might be weakest. This change builds directly on earlier IT worker fraud schemes but focuses on strategically important AI and blockchain companies.

North Korean hackers often move quickly to launder the ill-gotten crypto funds through various means, including DeFi protocols, mixing services, exchanges with limited "know your customer" process, centralized exchanges, cross-chain bridges, no-KYC exchanges, guarantee services, instant exchanges, Chinese-language platforms/payment processors, and money laundering networks.

According to Chainalysis, attackers have also ramped up compromises and theft from individuals' crypto wallets. Total theft incidents surged to 158,000 in 2025, nearly triple the 54,000 recorded in 2022. Unique victims increased from 40,000 in 2022 to at least 80,000 in 2025. These dramatic increases are likely due to greater crypto adoption.

For example, Solana, one of the blockchains with the greatest number of active personal wallets, had by far the largest number of incidents (~26,500 victims). To put individual wallet losses in context, Chainalysis looked at how often users are being hit across different blockchains and found that Ethereum and Tron stand out in 2025. Base and Solana have more sizable user communities but those users are less likely to be victimized.

However, despite more incidents and victims, "the total USD value stolen from individual victims actually declined from 2024's peak of $1.5 billion to $713 million in 2025," Chainalysis pointed out. "This suggests that attackers are targeting more users but stealing smaller amounts per victim."

As the crypto landscape continues to evolve, it is essential for individuals and companies to stay vigilant against these threats. By understanding the tactics employed by North Korean hackers, organizations can better protect themselves against these sophisticated attacks.

**Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!