The crypto sector faced yet another challenging year in 2025, with stolen funds continuing their upward trajectory, according to an update from Chainalysis which noted that their close examinations reveals a significant shift in crypto theft patterns, characterized by several key developments: the persistence of the Democratic People’s Republic of Korea (DPRK) as a primary threat actor, the severity of individual attacks on centralized services, “a surge in personal wallet compromises, and an unexpected divergence in decentralized finance (DeFi) hack trends.”

According to Chainalysis, these patterns emerge “clearly from the data and reveal significant changes in how crypto theft is occurring across different platform types and victim categories.”

The report from Chainalysis further noted that as the digital asset adoption expands and valuations reach new heights, “understanding these evolving security threats has become increasingly critical.”

The research report from Chainalysis also mentioned that the cryptocurrency industry witnessed over “$3.4 billion in theft from January through early December 2025, with the February compromise of Bybit alone accounting for $1.5 billion of that total.”

Beyond the headline figure, the data reveal “important shifts in the composition of these thefts.”

Personal wallet compromises have “grown substantially, increasing from just 7.3% of total stolen value in 2022 to 44% in 2024.”

In 2025, the share would have been 37% if it weren’t for the outsized impact of the Bybit attack.”

Meanwhile, centralized services are “experiencing increasingly large losses due to private key compromises.”

Chainalysis added that despite their institutional resources and professional security teams, these platforms “remain vulnerable because of this fundamental security challenge.”

Chainalysis also stated that while such compromises are infrequent, their scale still drives “enormous shares of stolen volumes when they do occur, accounting for 88% of losses in Q1 2025.”

The persistence of high theft volumes “indicates that while some areas of crypto security may be improving, attackers continue to find success across multiple vectors.”

Stolen fund activity has always been “outlier-driven, with most hacks relatively small and some immense.”

But 2025 reveals a striking escalation: the ratio “between the largest hack and median of all incidents has crossed the 1,000x threshold for the first time.”

Funds stolen in the largest attacks are now “1,000 times larger than those stolen in the typical incident, surpassing even the 2021 bull market peak. These calculations are based on the USD values of funds stolen at the time of their theft.”

This growing discrepancy has “concentrated losses dramatically.”

The top three hacks in 2025 account for “69% of all service losses, creating a landscape where individual incidents have an outsized impact on yearly totals.”

While the number of incidents may fluctuate and “median losses grow with asset prices, the potential for catastrophic individual breaches is escalating faster still.”

The Democratic People’s Republic of Korea (DPRK) continues to pose the most significant nation-state threat “to cryptocurrency security, achieving a record-breaking year for stolen funds despite an assessed dramatic reduction in attack frequency.”

In 2025, North Korean hackers “stole at least $2.02 billion in cryptocurrency ($681 million more than 2024), representing a 51% increase year-over-year.”

This marks the most severe year on record for DPRK crypto theft “in terms of value stolen, with DPRK attacks also accounting for a record 76% of all service compromises.”

Overall, 2025’s numbers bring the “lower-bound cumulative estimate for cryptocurrency funds stolen by the DPRK to $6.75 billion.”

North Korean threat actors are increasingly “achieving these outsized results often by embedding IT workers – one of DPRK’s principal attack vectors – inside crypto services to gain privileged access and enable high‑impact compromises.”

Part of this record year likely reflects an “expanded reliance on IT worker infiltration at exchanges, custodians, and web3 firms, which can accelerate initial access and lateral movement ahead of large‑scale theft.”

The massive influx of stolen funds in early 2025 “provides unprecedented visibility into how DPRK-linked actors launder cryptocurrency at scale.”

Their patterns differ markedly from those of other cybercriminals and evolve over time, “revealing current operational preferences and potential vulnerabilities.”

Compared to other stolen fund actors, the DPRK shows “clear preferences for certain laundering touchpoints.”

DPRK hackers tend to strongly prefer:

• Chinese-language money movement and guarantee services (+355% to +1000%+): Their most distinctive characteristic, showing heavy reliance on Chinese-language guarantee services and money laundering networks comprised of many different laundering operators that may have weaker compliance controls
• Bridge services (+97% difference): Heavy reliance on cross-chain bridges to move assets between blockchains and attempt to complicate tracing
• Mixing services (+100% difference): Greater use of mixing services to attempt to obscure the flow of funds
• Specialized services like Huione (+356%): Strategic use of specific services that facilitate their laundering operations

Other stolen fund actors tend to prefer:

• Lending protocols (-80% difference): DPRK avoids these DeFi services, showing limited integration with the broader DeFi ecosystem
• No KYC exchanges (-75% difference): Surprisingly, other threat actors use
• KYC-free exchanges more than DPRK
• P2P exchanges (-64% difference): DPRK shows limited interest in peer-to-peer platforms
• Centralized exchanges (-25% difference): Other criminals display more direct interactions with conventional exchange platforms
• Decentralized exchanges (DEXs) (-42% difference): Other threat actors strongly prefer DEXs for their liquidity and pseudonymity

These patterns suggest that the DPRK operates under “different constraints and objectives than those of non-state-backed cybercriminals.”

Their heavy use of professional Chinese-language money laundering services and over-the-counter (OTC) traders suggests “that DPRK threat actors are tightly integrated with illicit actors across the Asia-Pacific region, and is consistent with Pyongyang’s historical use of China-based networks to gain access to the international financial system.”

Their analysis of on-chain activity following DPRK-attributed hacks reveals a consistent “pattern in how these events are associated with the movement of stolen funds throughout the cryptocurrency ecosystem.”