Korean hackers caused cryptocurrency thefts to reach US$ 2 billion in 2025, reveals Chainalysis

Criminal groups linked to the Democratic People’s Republic of Korea intensified their operations in the cryptocurrency market during 2025, setting a new devastating record. According to the latest Chainalysis report, Korean hackers managed to divert at least US$ 2 billion in digital assets throughout the year, representing an impressive 51% jump compared to the amounts stolen in 2024. This result propelled the total accumulated theft by these groups to US$ 6.75 billion since their first documented attacks.

Tactic Shift: More Frequent Attacks with Monumental Figures

Data analysis reveals a significant transformation in the strategies of Korean hackers. Although the total number of incidents has increased, the real change lies in the magnitude of individual events. Criminal groups have been reducing the frequency of attacks against personal users but compensate for this shift with devastating incursions into larger centralized infrastructures.

Korean hackers were responsible for 76% of all breaches targeting enterprise-level platforms and services during 2025 – the highest percentage ever recorded. This concentration of firepower on high-impact targets starkly contrasts with the pattern observed in conventional cybercriminals, who prefer to spread their efforts across multiple lower-value targets. The attack on Bybit’s centralized service, resulting in losses of US$ 1.4 billion, exemplifies this mindset of maximizing impact per operation.

AI and Regional Infrastructure: Exponential Sophistication in Money Laundering

The process of concealing stolen funds by Korean hackers has gained an additional layer of technological complexity. Unlike other criminal groups that transfer resources in large-volume on-chain transactions, actors linked to DPRK fragment their loot into carefully sized parcels, rarely exceeding US$ 500,000 per individual transaction – a clear demonstration of sophisticated operational control.

Andrew Fierman, Chainalysis’ head of national security intelligence, revealed to CoinDesk that Artificial Intelligence has become the critical vector of this transformation. “Korean hackers carry out their cryptocurrency theft laundering with a consistency and fluidity that unequivocally point to the use of AI,” the expert stated. The resource cleaning system operates through a highly coordinated workflow: cryptocurrency mixers, bridges between different blockchains, and DeFi protocols work in synergy from the early stages, methodically converting funds across various crypto assets.

This laundering engineering shows a notable dependence on specific regional intermediaries. Korean hacker wallets show a marked preference for exchanges, escrow services, and over-the-counter networks operated in Chinese language, along with extensive use of bridges and mixing platforms. Significantly, they largely avoid traditional decentralized DeFi protocols and peer-to-peer exchanges, suggesting both structural limitations and concentrated access among specific geographic and linguistic facilitators.

Precise Timeline: 45 Days for Final Asset Conversion

Post-attack forensic analysis conducted by Chainalysis identified remarkably consistent temporal patterns in fund integration operations. When Korean hackers execute large thefts, the typical window for converting and concealing resources extends for approximately 45 days, passing through successive phases that begin with immediate obfuscation and culminate in final integration into diversified portfolios.

While this cycle is not absolutely universal in all operations, its recurrence over multiple years provides valuable actionable intelligence for regulatory and compliance agencies. This temporal predictability offers a critical window to intercept stolen funds before their final circulation – crucial information for security teams working against the clock.

Targeted User Attacks: Decline in Frequency, Reduction in Average Values

Alongside increased attacks on platforms, Korean hackers show less interest in compromising personal wallets. Individual account breaches accounted for only 20% of the total stolen value in 2025, compared to 44% recorded the previous year. Although the absolute number of incidents increased to 158,000 events, the amount in dollars extracted per individual victim decreased by 52%, reaching a total of US$ 713 million.

This bifurcation reveals a clear strategic calculus: Korean hackers expand their harassment reach against ordinary people but redirect their larger resources toward operations against corporate systems, where the return per effort justifies the technological sophistication employed.

Outlook for 2026: Escalation with No Signs of Slowing

As 2025 drew to a close, the attack activities of Korean hackers showed no indicators of slowing down. The current threat landscape reveals increasing polarization: on one side, mass low-value thefts diverted from isolated individuals; on the other, rare but catastrophic incidents targeting centralized service infrastructures. Korean hackers have firmly consolidated their position in this second extreme, reinforcing their role as a critical threat vector to the global cryptocurrency ecosystem.

For compliance and law enforcement teams, these findings underscore the urgency of adopting real-time detection mechanisms, monitoring regional laundering infrastructure, and cross-border cooperation to disrupt the facilitators fueling the growing sophistication of these criminal operations.