{"id":92401,"date":"2025-12-19T12:09:25","date_gmt":"2025-12-19T09:09:25","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=92401"},"modified":"2025-12-19T12:12:28","modified_gmt":"2025-12-19T09:12:28","slug":"losses-from-crypto-hacks-reached-3-4bn-in-2025","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/losses-from-crypto-hacks-reached-3-4bn-in-2025\/","title":{"rendered":"Losses from crypto hacks reached $3.4bn in 2025"},"content":{"rendered":"<p>From January to early December 2025, hackers stole cryptocurrencies worth more than $3.4bn, slightly above last year\u2019s $3.3bn, according to Chainalysis.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">1\/ In the first preview chapter of our 2026 Crypto Crime Report, we look at how North Korean hackers stole $2.02B in crypto during 2025, a 51% increase from 2024, pushing their all-time total to $6.75B: <a href=\"https:\/\/t.co\/B9l4x1g9VM\">https:\/\/t.co\/B9l4x1g9VM<\/a><\/p>\n<p>\u2014 Chainalysis (@chainalysis) <a href=\"https:\/\/twitter.com\/chainalysis\/status\/2001635540681314609?ref_src=twsrc%5Etfw\">December 18, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Almost half of all losses \u2014 44%, or $1.5bn \u2014 stemmed from the <a href=\"https:\/\/forklog.com\/en\/news\/bybit-exchange-suffers-1-46-billion-loss-in-hack\">the Bybit exchange hack<\/a>.<\/p>\n<p>Analysts observed a record skew in the data: for the first time, the gap between the largest attack and the average incident exceeded 1,000-fold.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"605\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-e25bd5e72f5d6957-1351356722473400-1024x605.png\" alt=\"Gap between large and average hacks\" class=\"wp-image-272055\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-e25bd5e72f5d6957-1351356722473400-1024x605.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-e25bd5e72f5d6957-1351356722473400-300x177.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-e25bd5e72f5d6957-1351356722473400-768x454.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-e25bd5e72f5d6957-1351356722473400-1536x907.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-e25bd5e72f5d6957-1351356722473400.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: Chainalysis.<\/figcaption><\/figure>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cThe amount stolen in top-tier attacks is now a thousand times larger than in an ordinary theft, surpassing even the peak figures of the 2021 bull market,\u201d they explained.<\/em><\/p>\n<\/blockquote>\n<p>Another notable trend is the rise in personal wallet breaches and key thefts at centralized services. The share of such incidents climbed from 7.3% in 2022 to 44% in 2024.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-9dcc2fa352092986-1351373215772109-1024x683.png\" alt=\"Attacks on personal crypto wallets\" class=\"wp-image-272056\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-9dcc2fa352092986-1351373215772109-1024x683.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-9dcc2fa352092986-1351373215772109-300x200.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-9dcc2fa352092986-1351373215772109-768x512.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-9dcc2fa352092986-1351373215772109-1536x1025.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-9dcc2fa352092986-1351373215772109.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: Chainalysis.<\/figcaption><\/figure>\n<p>There were 158,000 incidents affecting at least 80,000 unique addresses. Aggregate losses fell from $1.5bn to $713m.<\/p>\n<p>Experts noted that attackers are now going after a larger number of victims but for smaller sums.<\/p>\n<p>The highest attack density per 100,000 wallets is seen on the Ethereum and <a href=\"https:\/\/forklog.com\/en\/news\/what-is-tron-trx\">Tron<\/a> networks.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"830\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-0af9f52ebe13fb27-1351436467827592-1024x830.png\" alt=\"Funds stolen by hackers across networks\" class=\"wp-image-272057\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-0af9f52ebe13fb27-1351436467827592-1024x830.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-0af9f52ebe13fb27-1351436467827592-300x243.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-0af9f52ebe13fb27-1351436467827592-768x622.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-0af9f52ebe13fb27-1351436467827592-1536x1245.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-0af9f52ebe13fb27-1351436467827592.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: Chainalysis.<\/figcaption><\/figure>\n<p>Despite professional security infrastructure, centralized services remain vulnerable. In the first quarter, such platforms accounted for 88% of all funds stolen. The main single point of failure is private keys.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"638\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-21321c6c6fa6da8b-1351472601814580-1024x638.png\" alt=\"Breakdown of hacks by quarter, 2023\u20132025\" class=\"wp-image-272058\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-21321c6c6fa6da8b-1351472601814580-1024x638.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-21321c6c6fa6da8b-1351472601814580-300x187.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-21321c6c6fa6da8b-1351472601814580-768x478.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-21321c6c6fa6da8b-1351472601814580-1536x957.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-21321c6c6fa6da8b-1351472601814580.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: Chainalysis.<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">Progress in DeFi<\/h2>\n<p>In 2025, losses from hacks in <a href=\"https:\/\/forklog.com\/en\/news\/what-is-decentralised-finance-defi\">DeFi<\/a> were low despite rising <span data-descr=\"total value locked\" class=\"old_tooltip\">TVL<\/span>. In Chainalysis\u2019s view, the trend points to higher security standards across the sector.<\/p>\n<p>The September incident at Venus Protocol was instructive. Thanks to monitoring by Hexagate, the team spotted suspicious activity 18 hours before the attack. Developers were able to pause the protocol and quickly recover funds.<\/p>\n<p>Later, the community, via the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-dao-decentralised-autonomous-organisation\">DAO<\/a>, froze a further $3m that was under the hacker\u2019s control. As a result, the attacker made no profit and even incurred losses.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cAlthough attacks still occur, the ability to detect, respond to and even reverse them represents a fundamental shift from the early DeFi era, when successful hacks often meant irretrievable losses,\u201d the specialists commented.<\/em><\/p>\n<\/blockquote>\n<h2 class=\"wp-block-heading\">A record year for North Korea<\/h2>\n<p>North Korea set a new negative record, cementing its status as the chief threat to the crypto industry. In 2025, hackers stole at least $2.02bn \u2014 $681m more than in 2024.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"758\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-63165162953b90fc-1351535385873862-1024x758.png\" alt=\"Losses from DPRK-linked hacks, 2016\u20132025\" class=\"wp-image-272059\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-63165162953b90fc-1351535385873862-1024x758.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-63165162953b90fc-1351535385873862-300x222.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-63165162953b90fc-1351535385873862-768x569.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-63165162953b90fc-1351535385873862-1536x1138.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-63165162953b90fc-1351535385873862.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: Chainalysis.<\/figcaption><\/figure>\n<p>Cumulative losses attributed to DPRK hackers reached $6.75bn.<\/p>\n<p>Experts said a key tactic remains the placement of fake IT workers. After gaining access to projects\u2019 internal infrastructure, they steal funds. In May, one such spy was <a href=\"https:\/\/forklog.com\/en\/news\/kraken-uncovers-north-korean-spy-among-job-applicants\">identified<\/a> by the Kraken exchange team.<\/p>\n<p>In September, Binance founder Changpeng Zhao <a href=\"https:\/\/forklog.com\/en\/news\/cz-warns-of-imposter-employees-threat-from-north-korea\">warned<\/a> about this threat.<\/p>\n<p>Analysts also highlighted North Korean groups\u2019 laundering patterns. Unlike other cybercriminals, they split large sums into tranches of less than $500,000.<\/p>\n<p>DPRK actors also prefer Chinese-language services, <a href=\"https:\/\/forklog.com\/en\/news\/what-are-cross-chain-bridges\">bridges<\/a>, mixers and specialised platforms such as <a href=\"https:\/\/forklog.com\/en\/news\/darknet-platform-huione-pay-halts-operations\">Huione<\/a>. Most other hackers more often opt for lending protocols, exchanges without <span data-descr=\"Know Your Customer \u2014 'know your customer'\" class=\"old_tooltip\">KYC<\/span> and <a href=\"https:\/\/forklog.com\/en\/news\/the-rot-in-russias-p2p-market\">P2P<\/a> platforms.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"874\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-49f0ec70c36a4564-1351587603507960-1024x874.png\" alt=\"How North Korean hackers launder funds compared with other cybercriminals\" class=\"wp-image-272060\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-49f0ec70c36a4564-1351587603507960-1024x874.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-49f0ec70c36a4564-1351587603507960-300x256.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-49f0ec70c36a4564-1351587603507960-768x655.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-49f0ec70c36a4564-1351587603507960-1536x1310.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-49f0ec70c36a4564-1351587603507960.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: Chainalysis.<\/figcaption><\/figure>\n<p>North Korean hackers follow a well-rehearsed playbook that typically spans about 45 days:<\/p>\n<ol class=\"wp-block-list\">\n<li>Within the first five days, they rush assets through mixers and DeFi protocols to break links to the theft site.<\/li>\n<li>From the second week, funds are redistributed via <a href=\"https:\/\/forklog.com\/en\/news\/what-is-a-decentralised-exchange-dex\">DEX<\/a> and bridges to prepare for cash-out.<\/li>\n<li>Days 20\u201345: they use unregulated Chinese-language services and other platforms to convert to fiat.<\/li>\n<\/ol>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cNorth Korea continues to use cryptocurrency theft to fund state priorities and evade international sanctions. The industry must recognize that this actor plays by different rules than typical cybercriminals. The task for 2026 is to detect and prevent these highly efficient operations before DPRK actors inflict damage comparable to the Bybit incident,\u201d Chainalysis said.<\/em><\/p>\n<\/blockquote>\n<p>Mysten Labs cryptographer Kostas Chalkias <a href=\"https:\/\/forklog.com\/en\/news\/mysten-labs-ai-in-north-korean-hackers-hands-is-more-dangerous-than-quantum-computing\">believes<\/a> artificial intelligence in the hands of North Korean hackers is a more serious threat than quantum computers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>From January to early December 2025, hackers stole more than $3.4bn in crypto, Chainalysis said.<\/p>\n","protected":false},"author":1,"featured_media":92402,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"Over $2bn was attributed to North Korean hackers","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[274,1154,1202],"class_list":["post-92401","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-chainalysis","tag-crimes","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"239","promo_type":"1","layout_type":"1","short_excerpt":"Over $2bn was attributed to North Korean hackers","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92401","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=92401"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92401\/revisions"}],"predecessor-version":[{"id":92403,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/92401\/revisions\/92403"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/92402"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=92401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=92401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=92401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}