Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Crypto Theft in 2025 Concentrated in Fewer, Larger Breaches

Chainalysis Data Shows Access-Driven Attacks Reshaping Risk Rashmi Ramesh (rashmiramesh_) • December 18, 2025

Hackers stole more than $3.4 billion in cryptocurrency during the year, with the losses concentrated in a small number of high-impact breaches.

Analysis by Chainalysis shows the compromise of Bybit by North Korean hackers resulted in roughly $1.5 billion in stolen funds, accounting for a significant share of total losses (see: Bybit Restores $1.4 Billion in Stolen Ether).

Andrew Fierman, head of national security intelligence at Chainalysis, said the number of major breaches represents a behavioral shift. "We are often aware of smaller or unreported attacks," he told Information Security Media Group. "But North Korea continues to target more complex, larger hacks, which, this year, the top three hacks accounted for 69% of confirmed breaches." North Korean nation-state hackers steal cryptocurrency to prop up their government, its program of developing weapons of destruction and even to support the hacking operations themselves.

Hacks targeting centralized services occupy a narrow but consequential part of the attack landscape. Private key compromises are relatively infrequent, but Chainalysis says that their impact has disproportionate effects. A single breach can dominate quarterly loss figures, reinforcing how access and privilege determine financial damage more than attack frequency.

The Bybit incident bumped up the annual hacking loss total, but Fierman said that removing it from calculations wouldn't fundamentally alter the threat assessment. "Removing Bybit lowers the total significantly, but the underlying threat is unchanged," he said. "We still observe sophisticated attacks against centralized services, and the risk remains high because one or two major compromises can shape an entire year."

Chainalysis reports that Pyongyang threat actors were responsible for the majority of high-value service compromises in 2025, achieving record theft volumes of at least $2.02 billion despite fewer confirmed incidents. The data suggests a focus on operations that provide deep, sustained access rather than repeated attempts to breach defenses.

North Korea "continues to develop a streamlined laundering workflow that includes mixers, DeFi protocols, bridges, no-KYC exchanges and Chinese-language money laundering networks," he said. The consistency demonstrates discipline and experience, but also creates points where coordinated disruption by exchanges, law enforcement and blockchain intelligence can be effective, he said.

Money laundering behaviors differ from those observed among other crypto criminals. North Korean hackers actors show a strong preference for Chinese-language money movement services, cross-chain infrastructure and select specialized platforms. Chainalysis interprets this as evidence of operational constraints and dependence on established regional networks, rather than experimentation with a broad range of services.

State-linked actors targeting platforms were responsible for the largest heists, but individual users are at risk of digital looting. Chainalysis estimates that personal wallet compromises accounted for a meaningful share of total theft in 2025, with the number of incidents and victims rising alongside broader crypto adoption. At the same time, the total value stolen from individual wallets declined from the previous year, indicating smaller losses per victim.

Victimization varies by network. Some blockchains experience higher theft rates relative to their active wallet base, while others see lower rates despite comparable user populations. Chainalysis attributes these differences to a combination of user behavior, popular applications and the maturity of criminal infrastructure tied to specific ecosystems, rather than underlying protocol design.

Security can be a competitive differentiator. "As exchange thefts become bigger and more high-profile, a robust security practice that includes tools to prevent breaches will become a competitive advantage, as customers will look to keep their funds on the most secure platforms," Fierman said.

Decentralized finance followed a different trajectory over the past 12 months. Despite a recovery in capital flowing back into DeFi protocols, hack-related losses did not correspondingly increase. That amounts to a notable departure from other years, when increases in total value locked were closely mirrored by increases in theft.

Fierman attributed the lower DeFi losses to multiple factors. "DeFi losses remained relatively low even as capital returned, which may reflect improved security among long-standing protocols," he said. "But recent incidents against Balancer and Yearn show that vulnerabilities persist. Attackers may also be prioritizing centralized services given the higher potential returns."

A security incident involving Venus Protocol in September illustrates how response capabilities in DeFi have evolved. After attackers gained initial access through a compromised endpoint, monitoring systems flagged suspicious activity before funds could be moved. The protocol was paused, transactions were reversed and the attacker ultimately failed to profit.

Chainalysis frames the incident as evidence of faster detection and coordinated response rather than the absence of attacks. The ability to interrupt and contain breaches, even after initial compromise, has altered the financial outcome of some DeFi incidents compared to earlier years, when successful attacks often resulted in permanent losses.