North Korea remains dominant threat to cryptocurrency security in 2025, even while confirmed incidents have decreased, according to a report by blockchain analytics company Chainanlysis.

Hackers from the Democratic People’s Republic of Korea (DPRK) allegedly stole a record $2.02 billion of crypto this year — a 51% jump compared to 2024, and taking their all-time total to $6.75 billion, it added.

The analysis further found that the DRPK is achieving larger thefts with fewer incidents, using unique methods to gain access and pull off their heists.

North Korea’s alleged crypto heists: Here’s how they did it

As per the report, these hacks were often carried out in unique fashion by embedding IT workers inside crypto services or using sophisticated impersonation tactics targeting executives.

Embedding IT workers

This is among the DPRK’s “principal attack vectors”, the report said. It added that the hackers secured jobs inside crypto services to gain privileged access and enable high‑impact compromises.

“Part of this record year likely reflects an expanded reliance on IT worker infiltration at exchanges, custodians, and web3 firms, which can accelerate initial access and lateral movement ahead of large‑scale theft,” it noted.

Fake jobs

Further, taking the IT worker model and “flipping it on its head”, the analysis said that DPRK-linked operators are also increasingly impersonating recruiters for prominent web3 and AI firms. This way, they orchestrate fake hiring processes that culminate in “technical screens” designed to harvest credentials, source code, and VPN or SSO access to the victim’s current employer.

“At the executive level, a similar social‑engineering playbook appears in the form of bogus outreach from purported strategic investors or acquirers, who use pitch meetings and pseudo–due diligence to probe for sensitive systems information and potential access paths into high‑value infrastructure,” it added.

Higher- value attacks

Over the years, DPRK-linked operators are increasingly undertaking significantly higher-value attacks compared to other threat actors. “This pattern reinforces that when North Korean hackers strike, they target large services and aim for maximum impact,” the report added.

It noted that “this year’s record haul came from significantly fewer known incidents”, including the massive $1.5 billion Bybit hack in February 2025.

DPRK’s distinctive laundering patterns

Not just the hacking process, the laundering of stolen funds is also distinctive, the report said. It noted that more than 60% of laundering was of volume concentrated below $5,00,000 transfer value tranches, despite the total stolen amounts being larger.

“Even while the DPRK consistently steals larger amounts than other stolen fund threat actors, they structure on-chain payments in smaller tranches, speaking to the sophistication of their laundering,” it added.