Cybercriminals linked to the Pyongyang regime marked a historic milestone in the digital asset industry this year. According to a Chainalysis report published on December 18, 2025, North Korean group attacks resulted in the theft of at least $2 billion.This figure represents a 51% increase compared to the previous year, raising their total historic haul to $6.75 billion.
National security intelligence spokesperson Andrew Fierman highlighted that criminals now prefer massive and selective attacks. The technical sophistication of these operations suggests the advanced use of artificial intelligence tools to optimize laundering processes.
The strategy of these groups has evolved toward “big game hunting,” focusing their efforts on large-scale centralized services. In fact, DPRK-linked actors were responsible for 76% of all service-level compromises in 2025. The $1.4 billion hack of Bybit in March was the primary catalyst for these record figures.
Unlike other criminals, these hackers avoid common DeFi protocols and prefer regional facilitator networks. The use of Chinese-language brokers and over-the-counter (OTC) networks is a constant in their financial schemes. The consistency in their movement patterns betrays a highly structured and hierarchical operational infrastructure.
On the other hand, the way they process stolen money shows exceptionally high operational security. While other criminals perform massive transfers, North Korean groups distribute funds in tranches of less than $500,000. This fragmentation method makes immediate tracking difficult for digital forensic analysis platforms.
Additionally, the report details a standard laundering period of approximately 45 days for each major hit. The final integration phase occurs after passing through multiple mixers and cross-chain bridges. This time window is critical for compliance teams to attempt to intercept stolen funds. The dependence on specific regional facilitators limits their direct access to traditional global financial infrastructure.
How does a single criminal group dominate 76% of service hacks?
The success of these operations lies in the combination of strategic patience and superior technical capability. Attackers often infiltrate technical personnel into Web3 projects to identify vulnerabilities from within organizations. Likewise, the use of AI has allowed for the automation of obfuscation tasks that previously required weeks of manual labor.
The efficiency in asset conversion allows funds to flow quickly into secure wallets beyond international reach. Therefore, the industry faces an enemy that evolves faster than standard defenses. Protecting institutional private keys has become the most urgent security challenge for exchanges.
On the other hand, the landscape of personal wallet thefts has shown a very interesting inverse trend. Although the number of incidents against individuals rose to 158,000, the total value stolen fell by 52%, standing at $713 million. Attackers are targeting more users but obtaining lower benefits from each individual victim on average. This indicates a polarization of crime: massive low-value thefts for individuals and catastrophic attacks for institutions.
Personal self-custody security has improved, but the vulnerability of large centralized funds remains alarming. The stolen cryptocurrency is usually laundered through services that do not require strict identity verification processes.
Is it possible to stop the flow of funds to the North Korean regime in 2026?
Early detection of 45-day patterns offers a vital opportunity for law enforcement agencies. International collaboration between exchanges and governments is fundamental to blocking fiat money exit ramps. In addition, constant monitoring of bridges between networks can alert to suspicious fund movements in real-time.
The tightening of controls on mixing services has forced hackers to seek more complex alternatives. However, the persistence of these groups suggests they will continue to find new attack vectors every year. The eyes of experts are focused on how new regulations will affect Chinese brokers.
Looking ahead, the industry is expected to strengthen its hiring protocols to prevent internal infiltration. Education on advanced social engineering must be a priority for all employees of high-level crypto companies. Therefore, the resilience of the ecosystem will depend on its ability to share threat intelligence proactively.
The record $2 billion theft should serve as a serious warning to financial service providers. The commitment to security is no longer an option but a requirement for institutional survival. The evolution of defense techniques will determine if next year’s theft figures finally begin to decline.
