## North Korean Hackers Access Data and Update Records: 2025 Crypto Theft Reaches Historic Levels

The crypto industry continued to face the threat of cyberattacks from North Korea in 2025. According to investigations by chain analysis firms, North Korean hackers shifted tactics this year to deliver larger blows with fewer attacks, recording the highest theft scale in history. This change suggests that attackers are targeting security vulnerabilities more precisely, and their intrusion methods are becoming more sophisticated.

### Record-breaking Theft Amount: From Quantity to Quality

From January to early December 2025, the total amount stolen from the crypto ecosystem exceeded $3.4 billion, with North Korea-related hacker groups accounting for the majority. The crypto assets stolen that year reached at least $2.02 billion, a 51% increase compared to 2024.

Notably, despite a decrease in the number of attacks, the amount stolen has significantly increased. This indicates a shift in tactics by North Korean hackers. They previously attempted numerous small-scale intrusions but have now transitioned to focused attacks on high-value targets. As a result, the total stolen amount by North Korea has reached $6.75 billion, making it one of the largest in crypto history.

Just the top three theft incidents of 2025 account for 69% of the total. The gap between the largest single incident and average hacking losses has widened to an unprecedented extent, reaching a 1000-fold difference. This disparity even surpasses the peak of the 2021 bull market.

### Evolution of Attack Methods: From Infiltration of IT Staff to Fraud Targeting Executives

North Korean hackers' attack methods have evolved from simple internal infiltration to more advanced social engineering techniques.

Traditionally, they infiltrated companies as IT staff to gain privileged access. However, recent activities reveal a fundamental change in this tactic. The current groups impersonate recruiters at major Web3 and AI companies, creating fake recruitment processes. When victims proceed to "technical interviews," hackers request login credentials, source code, VPN access, and Single Sign-On (SSO) authentication. Once they obtain such confidential information, they secure entry points into entire systems.

An even more dangerous trend involves social engineering attacks targeting executives. Impersonating fake strategic investors or acquisition agents, they attempt to gather system information and critical infrastructure details through meetings labeled as due diligence sessions.

This evolving attack pattern suggests that North Korea’s groups are not just criminal gangs but state-supported organizations strategically targeting important companies.

### Unique Money Laundering Pattern: The 45-Day Cycle Secret

North Korean hackers exhibit a completely different pattern when processing stolen funds compared to other criminal groups. Analysis shows that from the time of theft to the final conversion into fiat currency, the process follows a consistent cycle of approximately 45 days.

**Initial Stage (0–5 days after theft)**

In the chaos immediately following the attack, inflows into DeFi protocols increase by 370%. Simultaneously, the use of mixing services jumps by 135–150%, forming a "first layer" that makes tracking funds difficult. During this period, rapid concealment of theft traces is prioritized.

**Mid-Stage (6–10 days)**

As funds disperse across the ecosystem, inflows into non-custodial trading platforms and centralized exchanges (CEX) begin, increasing by 37–32%. Cross-chain bridges are actively used to transfer assets between different blockchains, further complicating tracking.

**Final Stage (20–45 days)**

At this stage, funds flow into non-custodial platforms, collateral services, and Chinese-language money laundering networks. It is believed that this is where the final exchange into fiat currency occurs.

Particularly favored by North Korean groups are Chinese-language transfer services and collateral agencies, with usage increasing by 355–1000% or more. This suggests close ties to underground financial networks in East Asia. Conversely, the use of DeFi lending protocols and P2P trading platforms remains significantly lower compared to other hacker groups.

The consistency of this pattern indicates that North Korea employs a highly organized approach to money laundering, relying on specific intermediaries and jurisdictions with lax regulations.

### Surge in Personal Wallet Victims: Warning to Crypto Users

Cryptocurrency theft at the individual level surged at an unprecedented pace in 2025. The number of theft cases reached 158,000, nearly tripling from 54,000 in 2022. The number of victims also doubled from 40,000 to at least 80,000.

This increase parallels the broader adoption of cryptocurrencies, reflecting that more ordinary users now hold digital assets. Notably, on the Solana blockchain, approximately 26,500 victims have been recorded, with theft incidents being particularly high.

Interestingly, while the number of cases increased, the average loss per case decreased. The total theft amount in 2024 was $1.5 billion, whereas in 2025 it remained at $713 million. This indicates that attackers are expanding their target user base but reducing the theft amount per victim on average.

Analysis of victim rates across networks shows that Ethereum and TRON have the highest theft risks, measured by crime rates per 100,000 wallets. Conversely, networks like Base and Solana, despite large user bases, have relatively low victimization rates. This suggests that multiple factors—such as application environments, user demographics, and the presence of criminal infrastructure—determine theft risk beyond mere user counts.

### Hope in DeFi: The Effectiveness of Security Investments

From 2024 to 2025, trends in DeFi have defied past norms. Despite the total value locked (TVL) in DeFi recovering significantly from historic lows, hacking losses have remained at stable, low levels.

Historically, increased risk asset sizes correlated with higher hacking losses. This pattern was evident from 2020 to 2021 and persisted during the downturn of 2022–2023. However, in the recovery phase of 2024–2025, this correlation has broken down.

This shift strongly suggests that security enhancements by DeFi protocols are producing tangible results. Strengthened monitoring, real-time detection systems, and rapid response mechanisms have contributed to reducing attack success rates.

**Case Study: Venus Protocol’s Defense Success**

The September 2025 incident involving Venus Protocol demonstrated the effectiveness of improved security systems. Attackers gained system access through a compromised Zoom client and attempted to authorize $13 million in delegated permissions.

However, Venus had already implemented security monitoring a month prior. The system detected anomalies 18 hours before the attack began and issued alerts during malicious transactions. This enabled the team to:

- **Within 20 minutes**: Emergency shutdown of the protocol, preventing fund outflows
- **Within 5 hours**: Post-attack security review and partial system restoration
- **Within 7 hours**: Forced liquidation of attacker’s positions
- **Within 12 hours**: Full recovery of stolen funds and complete service restoration

Additionally, the attacker's assets worth $3 million, still held through governance, were frozen. As a result, the attacker gained no profit and lost their funds.

This case exemplifies how DeFi security is evolving into an integrated ecosystem of monitoring, response, and governance, beyond mere technical measures.

### Future Threats and Countermeasures for Data Access

The data from 2025 reveals that North Korea’s threat has qualitatively changed. While attack frequency has decreased, destructive power has increased, and methods have become more patient and cunning. The impact of a major February incident indicates that after large-scale thefts, they tend to temporarily slow down and focus on money laundering.

The crypto industry faces multifaceted challenges: heightened vigilance against high-value targets, increased awareness of North Korea’s unique money laundering techniques, and recognition of the 45-day cycle pattern. These features can distinguish North Korea from other criminal groups and improve detection and response accuracy.

For North Korea, which continues to use crypto theft as a means to evade sanctions, current activities may only be the tip of the iceberg. The biggest challenge beyond 2026 will be whether they can preemptively respond to the next large-scale attack.