North Korean hackers stole a record $2.02 billion in cryptocurrency throughout 2025, effectively establishing cyber-theft as a primary sovereign revenue stream for the isolated regime.
Data released Monday in a joint report by blockchain intelligence firms Chainalysis and TRM Labs confirms a 45% year-over-year increase in stolen funds compared to 2024. The surge stems from a strategic pivot: Pyongyang’s operatives have abandoned complex decentralized finance (DeFi) exploits to target the systemic vulnerabilities of centralized exchanges (CEXs).
Centralized infrastructure accounted for 70% of successful exploits in 2025, a sharp reversal from the DeFi-heavy attacks that defined the previous cycle.
Targeting the Centralized Gatekeepers
The shift to centralized targets suggests a “professionalization” of cyber capabilities of North Korean hackers. Rather than relying solely on technical smart contract failures, groups such as Lazarus and APT38 focused on social engineering and administrative weaknesses within major liquidity hubs.
“The data indicates an industrial-scale approach to compromising centralized entities,” said Ari Redbord, Global Head of Policy at TRM Labs. “We are seeing less reliance on ‘smash and grab’ DeFi hacks and more sophisticated, long-con operations aimed at the human and institutional gates guarding exchange wallets.”
The largest single contributor to the 2025 total was the February breach of Dubai-based exchange Bybit, where attackers drained $1.5 billion. The FBI and on-chain analysts linked the incident to compromised private keys obtained through a targeted phishing campaign against senior engineers, a hallmark of the new CEX-focused strategy.
Bridge Hopping and Laundering
While the theft occurred on centralized platforms, the laundering process remained deeply embedded in decentralized protocols. The report notes that over $800 million of the stolen funds were washed using “chain hopping” techniques across cross-chain bridges.
North Korean hackers utilized automated scripts to move assets rapidly between blockchains, specifically utilizing the ThorChain and LayerZero protocols, to obfuscate the transaction trail before converting funds into USDT on the Tron network. This volume of cross-chain laundering represents a record high, complicating efforts by the Office of Foreign Assets Control (OFAC) to freeze assets.
Sovereign Revenue Stream
The scale of the 2025 thefts highlights the degree to which cryptocurrency theft has become a macroeconomic necessity for North Korea. The $2.02 billion figure rivals the nation’s traditional annual exports, effectively functioning as a state-funded ATM that bypasses global banking sanctions.
The United Nations Security Council flagged this connection in a November briefing, warning that the revenue directly funds the DPRK’s nuclear and ballistic missile programs.
“These are not rogue hackers,” Chainalysis noted in the report. “This is a geopolitical strategy where a nation-state is systematically draining the crypto ecosystem to fund military objectives.”
Major global exchanges have accelerated the rollout of mandatory hardware key authentication for administrative staff this quarter, citing the escalating threat profile from state actors.
Chain Street’s Take
The $2 billion figure is staggering, but the “how” is more important than the “how much.” North Korean hackers have proven that the blockchain’s immutability is irrelevant if the people holding the keys can be compromised.
By shifting 70% of their attacks to centralized exchanges, they aren’t hacking code anymore, they are hacking human resources and corporate hierarchy. This is no longer a crypto-native security problem; it is a global counter-intelligence failure.
Until exchanges treat their admin keys like nuclear launch codes, this sovereign revenue stream isn’t going anywhere.
