North Korean state-sponsored hackers stole roughly $2.1 billion in cryptocurrency during 2025, representing about 60% of all theft tracked by security firm CertiK, according to a new analysis published this week. The figure makes 2025 the highest year on record for losses attributed to a single nation-state actor, and the gap between North Korea and every other category of crypto crime has never been wider.
The headline number is anchored by a single February breach of Bybit, in which attackers tied to the Lazarus Group drained approximately $1.5 billion from the exchange's cold wallet infrastructure. CertiK attributes the rest of the $2.1B total to a year-long campaign of social engineering against developers, fake recruiter outreach on LinkedIn, and targeted exploitation of bridge and DeFi protocol vulnerabilities.
A Single Actor Now Dominates Crypto Crime
CertiK's data reframes how the industry should think about loss attribution. In prior years, the breakdown was relatively even: smart contract exploits, rug pulls, oracle manipulation, and centralized exchange breaches each contributed meaningful slices. For 2025, one actor took six of every ten dollars stolen.
The runner-up categories trail by orders of magnitude. DeFi protocol exploits and bridge attacks accounted for roughly 20% of the year's losses. Rug pulls and exit scams contributed another 10%. Everything else, including individual phishing, address poisoning, and SIM swaps, made up the final 10%.
That concentration matters for incident response. When the largest loss category is a coordinated state program rather than scattered opportunistic crime, the defensive posture changes. Threat intelligence rotates toward operational security, hiring pipelines, and cold storage architecture rather than smart contract audits alone.
Laundering Pathways After the Theft
Laundering pathways have shifted alongside the theft volumes. CertiK's report notes that funds moved through a combination of cross-chain bridges, automated mixer services, and over-the-counter desks willing to take risk on tainted assets at a discount. The Bybit funds in particular were rotated across Ethereum, Bitcoin, and several smaller chains within hours of the initial breach.
Sanctioned mixer services continue to play a role despite enforcement pressure. Some funds have surfaced months after the original incidents, occasionally settling into wallets that interact with smaller centralized exchanges in jurisdictions with weaker compliance programs.
For broader context on how stolen funds are being recovered or seized, see the US government's growing crypto holdings, which now exceed $4 billion in confiscated digital assets, a portion of which traces back to North Korean operations.
Implications for Exchange Custody
The Bybit incident remains the largest single-event loss in industry history, and its mechanics have shaped how peer exchanges are reconsidering self-custody options and operational segregation. The breach did not exploit a smart contract bug. It exploited the human and signing-process layer around a cold wallet transfer.
Several major exchanges have publicly restructured their multi-signature workflows in the months since, separating transaction construction from approval and adding independent verification steps. Custody insurers have also tightened policy terms, raising deductibles on social engineering coverage and excluding losses where signers fail to follow documented verification protocols.
Card-issuing exchanges face a particular calculation here. Custodial card programs depend on the issuer holding user balances on chain or in hot wallets to fund settlement. Any compromise of those reserves cascades directly into card user balances, which is why some users have shifted toward non-custodial spending products where signing keys never leave the user's device.
Wider Pressure on State-Sponsored Crime
The CertiK figures arrive in the same week that a former Washington foreign policy official publicly described US strategic posture toward Iran as failing, a separate macro signal that has been linked to renewed risk premium on Bitcoin. Bitcoin trades at $80,847 as of May 12, 2026, down 0.5% on the day and roughly 1% on the week, with the Crypto Fear and Greed Index sitting at a neutral 50.
The intersection of geopolitical pressure and the dominance of state-sponsored theft creates a difficult narrative for the industry. Regulatory bodies in the US, EU, and Asia are likely to cite the 60% concentration figure when arguing for tighter exchange custody rules and more aggressive sanctions enforcement on mixer services.
Whether those rules will reduce North Korea's take in 2026 is unclear. The Lazarus Group has historically adapted to each round of enforcement, shifting from exchange breaches to DeFi exploits to social engineering as the easiest target moves. The one consistent factor is that the funds continue to flow.
Overview
CertiK's 2025 analysis attributes $2.1 billion in crypto theft to North Korean state-sponsored groups, equal to about 60% of all losses tracked during the year. The Bybit cold wallet breach of $1.5 billion drives the bulk of the number, and the rest comes from a sustained campaign of social engineering, bridge exploits, and DeFi targeting. The concentration into a single actor is the largest the industry has recorded and will likely accelerate exchange custody reform and sanctions enforcement on mixer services through 2026.
