Kim's crypto thieving reached a record $2B in 2025

North Korea’s yearly cryptocurrency thefts have accelerated, with Kim’s state-backed cybercriminals plundering just over $2 billion worth of tokens in 2025. That’s according to research from blockchain biz Chainalysis, whose experts say that the figure represents a 51 percent increase year-on-year, and a huge proportion of the $3.4 billion that was stolen in total, globally.

“This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76 percent of all service compromises,” the company’s report noted.

A major influencing factor on the steep rise is North Korea’s February attack on Bybit, which netted around $1.5 billion worth of digital assets. Additionally, another reason for this rise is the state’s increased targeting of personal wallets, representing nearly half (44 percent) of the total value. In 2022, this accounted for just 7.3 percent of the country’s efforts.

North Korea was responsible for around 158,000 individual wallet attacks this year, affecting 80,000 unique individuals. Overall, Kim’s cronies cemented themselves as the dominant force in cryptocurrency thefts in 2025, taking the total value of their raids to an estimated $6.75 billion since researchers began tracking them.

North Korea was responsible for a record 76 percent of attacks on centralized services this year. It accomplished this feat through private key compromises and continued attempts to embed skilled individuals into cryptocurrency services companies. The country’s effort to infiltrate Western companies with fake IT workers is well-known, but this year North Korea’s IT army has shifted from securing positions to posing as recruiters for crypto and other types of web3 businesses. In doing so, they have been able to run fake technical screenings, during which they gain access to and ultimately steal credentials and source code, and secure remote access into the networks where applicants currently work.

The report added: “At the executive level, a similar social-engineering playbook appears in the form of bogus outreach from purported strategic investors or acquirers, who use pitch meetings and pseudo–due diligence to probe for sensitive systems information and potential access paths into high‑value infrastructure – an evolution that builds directly on the DPRK’s IT worker fraud operations and their focus on strategically important AI and blockchain companies.”

Researchers’ observations suggest that the country’s new focus on personal wallets and centralized services is replacing previous raids on decentralized finance (DeFi) protocols. Chainalysis noted that activity in 2024 and 2025 started to show divergence from this trend. TVLs grew during this period, but attacks targeting protocols fell, suggesting DeFi security standards are improving and thus discouraging attackers.

Chainalysis said: “The country’s record-breaking 2025 performance – achieved with 74 percent fewer known attacks – suggests we may be seeing only the most visible portion of its activities. The challenge for 2026 will be detecting and preventing these high-impact operations before DPRK-affiliated actors inflict another Bybit-scale incident.”

To read the complete article see: The Register
:information_source: