North Korean hackers' cryptocurrency thefts surge by 51%! Money laundering cycle is 45 days, with a total theft of $6.75 billion.

North Korean hackers stole $2.02 billion in cryptocurrency in 2025 (up 51%), totaling $6.75 billion. The number of attacks decreased by 74%, but the scale of each incident surged, with CEXs accounting for nearly half of the annual total at $1.5 billion. They favor Chinese money laundering services (up 355%), cross-chain bridges, and mixing protocols, completing the money laundering cycle in about 45 days across three stages.

North Korean hacking incidents decreased by 74%, but thefts increased by 51%

In 2025, North Korean hackers set a record for cryptocurrency theft, stealing at least $2.02 billion, an increase of $681 million over 2024, representing a 51% year-over-year growth. This was the most severe year on record for North Korean crypto thefts, with attacks initiated by North Korea accounting for 76% of all intrusion-related stolen funds, hitting a new high. Overall, the total estimated amount stolen by North Korean hackers reached at least $6.75 billion.

Even more astonishing, this record-breaking loss came despite a significant reduction in known attack incidents. North Korean hackers stole more cryptocurrency with fewer attacks—reducing attack frequency by about 74%—but the average size of each attack skyrocketed. This shift was influenced by the large-scale hacking event on Bybit in February 2025, which resulted in losses of up to $1.5 billion, accounting for 74% of North Korea’s total thefts that year.

The top three hacking incidents accounted for 69% of total losses, with extreme outliers reaching 1,000 times the median. In 2025, the largest single attack involved stolen funds that were 1,000 times greater than typical thefts, even surpassing the peak of the 2021 bull market. This widening gap caused losses to be highly concentrated, with individual events having an outsized impact on the annual total.

North Korean hackers increasingly infiltrate crypto services by inserting IT personnel to gain privileged access and carry out major attacks. The record number of incidents this year may partly reflect North Korea’s reliance on IT staff to penetrate trading platforms, custodians, and Web3 companies, which can accelerate initial access and lateral movement, creating conditions for large-scale theft.

However, recent activities linked to North Korea have completely overturned this IT worker model. They are no longer just applying for jobs and infiltrating as employees; instead, they increasingly impersonate recruiters from well-known Web3 and AI companies, meticulously planning fake recruitment processes. Under the guise of “technical screening,” they obtain victims’ login credentials, source code, and access to VPN or SSO accounts of their current employers.

45-Day Three-Stage Money Laundering Cycle and Preference for Chinese Services

Analysis of on-chain activity from North Korea-related hacking incidents between 2022 and 2025 shows that stolen funds follow a structured, multi-stage money laundering process lasting approximately 45 days. This multi-year pattern indicates operational constraints faced by North Korean hackers, possibly due to limited channels for accessing financial infrastructure and the need to coordinate with specific intermediaries.

North Korean Hackers’ 45-Day Money Laundering Three Stages

Days 0-5 (Immediate Layering): DeFi protocol liquidity increases by 370%, mixing services grow 135-150%, sharply delineating between emergency and theft-related transactions.

Days 6-10 (Initial Integration): Non-KYC trading platforms increase by 37%, CEXs by 32%, cross-chain bridges by 141%, with funds flowing toward exit channels.

Days 20-45 (Long-tail Integration): Non-KYC platforms increase by 82%, escrow services by 87%, Chinese platforms by 45%, completing fiat conversions.

Compared to other hackers, North Korea shows a clear preference in certain money laundering stages. They tend to favor Chinese fund transfer and escrow services (up 355% to over 1000%), which is a distinctive feature, heavily relying on Chinese escrow services and a network of laundering operators with weaker compliance controls. Cross-chain bridge usage increases by 97%, indicating a strong dependence on cross-chain transfers to obscure trail across different blockchains. Mixing services usage doubles (+100%), reflecting an increased effort to mask fund flows.

Conversely, North Korean hackers significantly avoid using lending protocols (-80%), non-KYC platforms (-75%, surprisingly lower than other hackers), P2P platforms (-64%), and DEXs (-42%). These patterns suggest their operations are influenced by different constraints and targets compared to non-state cybercriminal groups. They heavily utilize professional Chinese laundering services and OTC traders, indicating close ties with illicit actors in the Asia-Pacific region.

This typical 45-day laundering window provides critical intelligence for law enforcement and compliance teams. Understanding this timeframe and phased pattern can help exchanges and security firms implement freezing and recovery measures before funds are fully laundered.