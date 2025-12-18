When they strike cryptocurrency-related targets, North Korean hacking groups are increasingly aiming for large services where a single breach can move serious money, a new Chainalysis report on crypto theft in 2025 revealed.

“North Korean hackers stole $2.02 billion in cryptocurrency in 2025, a 51% year-over-year increase, pushing their all-time total to $6.75 billion despite fewer attacks,” the company says.

How are they achieveing this?

For years, a big part of their playbook involved placing North Korean IT workers inside target companies. These workers often used fake identities to land remote jobs, especially in tech and crypto firms. Once inside, they could earn salaries that flowed back to the regime, gather internal knowledge, or quietly set the stage for later attacks.

But there has been a noticeable change related to this tactic. Instead of trying only to get hired, North Korean hackers are increasingly trying to trick people who already work at or lead valuable companies.

For example, they often pose as recruiters for well known web3 or AI firms and reach out to engineers and developers with job offers. The targets are guided through a fake hiring process that feels real enough to pass a quick gut check, and often ends with a technical interview.

During that step, the victims are asked to run code, specific tools, or open documents, which compromise their machines and allow the hackers to grab credentials, source code, or access corporate VPNs and systems of their current emplouers.

Another method aims higher up the organization’s chart: Executives are contacted by people claiming to be investors or potential buyers.

These conversations can stretch over weeks and include pitch meetings and fake due diligence. The attackers ask detailed questions about systems, security practices, and internal workflows. Piece by piece, they learn how high value infrastructure is set up and where access might be weakest.

This change builds directly on earlier IT worker fraud schemes, but the focus remains on strategically important AI and blockchain companies.

North Korean hackers often move quickly to launder the ill-gotten crypto funds, through DeFi protocols, mixing services, exchanges with limited “know your customer” process and centralized exchanges, cross-chain bridges, no-KYC exchanges, guarantee services, instant exchanges, Chinese-language platforms / payment processors and money laundering networks.

Raiding of personal wallets

According to Chainalysis, various attackers have also ramped up compromises and theft from individuals’ crypto wallets.

“Total theft incidents surged to 158,000 in 2025, nearly triple the 54,000 recorded in 2022. Unique victims increased from 40,000 in 2022 to at least 80,000 in 2025. These dramatic increases are likely due to greater crypto adoption. For example, Solana, one of the blockchains with the greatest number of active personal wallets, had by far the largest number of incidents (~26,500 victims),” the company noted.

To put individual wallet losses in context, Chainalysis also looked at how often users are being hit across different blockchains, and found that Ethereum and Tron stand out in 2025.

Base and Solana, on the other hand, have more sizable user communities, but those users are less likely to be victimized.

But despite more incidents and victims, “the total USD value stolen from individual victims actually declined from 2024’s peak of $1.5 billion to $713 million in 2025,” Chainalysis pointed out. “This suggests that attackers are targeting more users, but stealing smaller amounts per victim.”

