- Three huge hacks drive 69% of 2025 losses as North Korea targets major platforms.
- Bybit breach alone hits $1.5B, pushing theft totals to the highest level ever recorded.
- Laundering cycles and insider tactics reveal a more organized North Korean operation.
North Korea closed out 2025 with a haul that unsettled even seasoned investigators. Chainalysis’s early look at its 2026 crime report places the country’s crypto theft total at $2.02 billion for the year, lifting its cumulative figure to about $6.75 billion. The increase from 2024 is striking, roughly 51%, yet the real story lies in how differently these operations unfolded and where the damage was concentrated.
Massive Hauls Driven by Fewer but Higher-Impact Attacks
According to the report, the number of incidents did not surge. In fact, activity was thinner than usual. But one breach, Bybit’s, pulled in around $1.5 billion, which alone tilted the entire year’s outcome. The scale of that single hit illustrates how North Korea relied on a narrow set of large targets rather than spreading attacks broadly across the market.
DPRK Hack Activates 2016-2025 (Source: X)
Chainalysis points out that the three biggest hacks of 2025 represented 69% of all centralized service losses. That level of concentration hasn’t appeared before in such a sharp form. The size gap widened as well: the largest attack crossed a 1,000x spread relative to the median incident, a threshold never previously breached.
Growing Extremity of Crypto Hacks (Source: ChainAnalysis)
Even the frothiest periods of 2021 didn’t produce a skew this severe. The pattern suggests a shift toward deeper reconnaissance and slower, more surgical execution. Whether deliberate strategy or simply the luck of a few well-timed infiltrations, the outcome was the same: one or two events capable of reshaping industry-wide figures almost overnight.
Distinct Laundering Patterns Reveal a Highly Coordinated Machine
Chainalysis’s preview also highlights how predictable certain laundering behaviors have become. Per the report, North Korea continued to rely heavily on Chinese-language laundering outfits, bridge services, and a recurring 45-day cycle between theft and movement. These rhythms, while subtle, echo past cases tied to state-backed operators.
North Korea (DPRK)’s Distinctive Laundering Patterns (Source: X)
Many investigations once again point back to the Lazarus Group. Their presence has lingered behind several major breaches over the past decade, including the Ronin Network incident in 2022. But 2025 showed how their tradecraft has widened.
Technical flaws still matter, though compromises involving internal accounts and impersonation attempts now sit just as prominently. In a few cases, attackers appeared to have slipped in through workers who were legitimately hired, only revealing themselves once they’d gained the access they needed.
This blending of technical and human entry points helps explain why the year’s largest hacks were so disruptive. Once the right door opened, the volume of assets accessible inside a single platform magnified the fallout.
Personal Wallet Attacks Surge but Yield Lower Total Losses
While these major breaches absorbed most attention, the report notes a separate rise in personal wallet compromises. Roughly 158,000 incidents affected about 80,000 individual victims. Yet the total taken from these wallets fell sharply to $713 million, down from $1.5 billion the previous year.
The contradiction, more incidents but lower total losses, hints at better wallet defenses and smaller average balances. Individual users remain exposed, but the damage per case has moderated. Institutional environments, by contrast, continue to hold deep pools of liquidity, which keep them attractive to attackers who can reach privileged systems.
Hack losses across DeFi protocols remained muted for a second year despite rising total value locked. Slower rollouts and tighter reviews appear to have helped, though the report avoids declaring any long-term shift.
Rising Economic and Regulatory Impact Heading Into 2026
However, the economic effects did not end with the hacks themselves. The exchange that lost $1.5 billion in Ethereum early in 2025 faced immediate market pressure and a difficult recovery. Confidence dipped across several platforms for days, not because users expected a cascade but because the breach revived long-standing questions about custody practices.
North Korea’s repeated presence in these cases is likely to remain a focal point as regulators move through 2026. Chainalysis notes that understanding how these operations form and the timing patterns that follow will matter more than ever as the industry expands.
