Hackers will steal $3.41 billion in cryptocurrency in 2025

[Cryptoverse]

An annual report by blockchain analysts at Chainalysis revealed that hackers stole $3.41 billion in cryptocurrency last year. Of this, over $2.02 billion was stolen by North Korean hackers, and nearly $1.5 billion was stolen from the Bybit cryptocurrency exchange. According to Chainalysis, $2.02 billion is only the low end of the estimate, but it still represents a 51% increase over last year's results, when North Korean hackers managed to steal $1.3 billion. It is also noted that over the past five years, North Korean hackers have stolen at least $6.75 billion in cryptocurrency. As noted above, more than half of the funds stolen this year (almost $1.5 billion) are the result of the February hack and theft of the Bybit crypto exchange. This attack is linked to the TraderTraitor hacker group (aka Jade Sleet and Slow Pisces), part of Lazarus. This incident remains the largest cryptocurrency heist in history. In their report, experts write that North Korean hackers employ several tactics. The first and most well-known is Operation Dream Job. The attackers contact potential victims via LinkedIn or WhatsApp, posing as recruiters, and offer jobs at major companies in the defense, chemical, aerospace, or technology sectors. Once the victim falls for the hackers' bait, they are tricked into installing malware such as BURNBOOK, MISTPEN, or BADCALL under the guise of test assignments. The goal of this campaign is twofold: to steal confidential data and to "make" money by circumventing sanctions. The second tactic is to infiltrate the companies' IT specialists. North Korean developers are recruiting for companies around the world, including crypto exchanges, using fake documents and working through shell companies (like DredSoftLabs and Metamint Studio). Once inside, they gain access to critical systems. This method is codenamed "Wagemole."

[td]"The rise in thefts in 2025 is likely due to the increasing use of IT workers in exchanges, crypto companies, and Web3 projects," says the Chainalysis report. "This allows hackers to more quickly penetrate systems and gain privileged access before committing large-scale thefts."[/td]

Once the funds are stolen, the laundering process begins. According to researchers, North Korean hackers primarily operate through Chinese money transfer services, but also use cross-chain bridges, cryptocurrency mixers, and specialized platforms like Huione.

Typically, the stolen cryptocurrency undergoes three laundering stages, which take approximately 45 days.

• Stage 1: Initial Laundering (0-5 days) – funds are quickly separated from the source of theft through DeFi protocols and mixers.
• Stage 2: Initial Integration (6-10 days) - Assets are moved to crypto exchanges, secondary mixers, and cross-chain bridges like XMRt.
• Stage 3: Final Integration (20-45 days) – final conversion into fiat money or other assets occurs through exchange services.

[td]"The active use of Chinese money laundering services and OTC traders indicates that North Korean groups are closely integrated with criminal networks in the Asia-Pacific region," Chainalysis notes.[/td]