The global cryptocurrency ecosystem faced another challenging year in 2025, with stolen funds continuing their upward trajectory.
According to Chainalysis’ latest Crypto Crime Report, the industry witnessed over $3.4 billion in theft from January through early December 2025, with the February compromise of Bybit alone accounting for $1.5 billion of that total.
Four key developments define 2025 crypto theft patterns
The report reveals a shift in crypto theft patterns, characterized by four key developments: the persistence of the Democratic People’s Republic of Korea (DPRK) as a primary threat actor, the growing severity of individual attacks on centralized services, a surge in personal wallet compromises and an unexpected divergence in decentralized finance (DeFi) hack trends.
These patterns emerge clearly from the data and reveal significant changes in how crypto theft is occurring across different platform types and victim categories. As digital asset adoption expands and valuations reach new heights, understanding these evolving security threats has become increasingly critical.
Personal wallet compromises grow substantially
Beyond the headline figure, the data reveal important shifts in the composition of these thefts. Personal wallet compromises have grown substantially, increasing from just 7.3 percent of total stolen value in 2022 to 44 percent in 2024. In 2025, the share would have been 37 percent if it weren’t for the outsized impact of the Bybit attack.
Meanwhile, centralized services are experiencing increasingly large losses due to private key compromises. Despite their institutional resources and professional security teams, these platforms remain vulnerable because of this fundamental security challenge. While such compromises are infrequent, their scale still drives enormous shares of stolen volumes when they do occur, accounting for 88 percent of losses in Q1 2025.
Top three hacks account for 69 percent of losses
Stolen fund activity has always been outlier-driven, with most hacks relatively small and some immense. But 2025 reveals a striking escalation: the ratio between the largest hack and the median of all incidents has crossed the 1,000x threshold for the first time.
Funds stolen in the largest attacks are now 1,000 times larger than those stolen in the typical incident, surpassing even the 2021 bull market peak. These calculations are based on the USD values of funds stolen at the time of their theft.
This growing discrepancy has concentrated losses dramatically. The top three hacks in 2025 account for 69 percent of all service losses, creating a landscape where individual incidents have an outsized impact on yearly totals. While the number of incidents may fluctuate and median losses grow with asset prices, the potential for catastrophic individual breaches is escalating faster still.
Read: ADGM approves USDT on TRON for regulated activities
North Korea remains the dominant crypto threat actor
The Democratic People’s Republic of Korea (DPRK) continues to pose the most significant nation-state threat to crypto security, achieving a record-breaking year for thefts despite an assessed dramatic reduction in attack frequency.
In 2025, North Korean hackers stole at least $2.02 billion in cryptocurrency, $681 million more than 2024, representing a 51 percent increase year-over-year. This marks the most severe year on record for DPRK crypto theft in terms of value stolen, with DPRK attacks also accounting for a record 76 percent of all service compromises.
Overall, 2025’s numbers bring the lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion.
The 2025 data present a complex picture of the DPRK’s evolution as a crypto threat actor. The nation state’s ability to execute fewer but far more damaging attacks demonstrates increasing sophistication and patience. The Bybit incident’s impact on its yearly activity patterns suggests that when DPRK successfully executes a major theft, it reduces operational tempo to focus on laundering the proceeds.
For the cryptocurrency industry, this evolution demands enhanced vigilance around high-value targets and improved detection of DPRK’s specific laundering patterns. Their consistent preferences for certain service types and transfer amounts provide detection opportunities, distinguish them from other criminals, and can help investigators identify their on-chain behavioral footprint.
As North Korea continues to use cryptocurrency theft to fund state priorities and circumvent international sanctions, the industry must recognize that this threat actor operates by different rules than typical cybercriminals. The country’s record-breaking 2025 performance — achieved with 74 percent fewer known attacks — suggests we may be seeing only the most visible portion of its activities. The challenge for 2026 will be detecting and preventing these high-impact operations before DPRK-affiliated actors inflict another Bybit-scale incident.
