North Korea's cyber pirates reached a devastating milestone in 2025: US$2 billion stolen, marking a new era of cybercrime.

North Korea-backed hackers closed 2025 with their largest recorded cryptocurrency haul ever. The figure is not just a simple number: US$2 billion in thefts represent a 51% jump over 2024, bringing the Democratic People’s Republic of Korea’s total accumulated amount to US$6.750 billion. According to the latest Chainalysis report, we are facing a critical evolution in the global cyber threat landscape.

What makes these figures especially alarming is not just the magnitude but the underlying pattern: fewer attacks, but exponentially more destructive.

The shift towards catastrophic-scale attacks

In previous years, cybercriminals diversified their targets. They aimed at multiple small and medium-sized targets in search of volume. North Korean actors played a completely different game in 2025.

They were responsible for 76% of all breaches targeting enterprise-level services, the highest percentage in record history. This means that virtually every major breach of centralized crypto services bore the digital signature of Pyongyang. While other criminal groups opt for quantity, these actors have the resources, expertise, and patience to launch few but monumental operations.

The change is strategic. A massive attack on a large platform generates geopolitical impact, creates regulatory pressure, and paralyzes markets. North Korea’s cybercrime economy has become industrialized.

Sophisticated money-making machines: how laundering operations work

After stealing, comes conversion. And here is where North Korea’s operational sophistication becomes visible.

Unlike other criminals who make large, easily traceable transfers on-chain, these actors fragment their movements into careful portions, typically below US$500,000. It’s a game of patience: multiple small transactions instead of one large, obvious one.

Wallets linked to North Korea show a notable dependence on three specific channels:

Chinese exchange services – Regional platforms that serve as local entry points
Decentralized bridges and mixing services – Technical tools that break fund traceability
Regional guarantors and brokers – Intermediaries that facilitate cash conversion

Note what they do not use: DeFi protocols, decentralized exchanges, peer-to-peer platforms. The reason is clear: structural limitations and a reliance on specific regional facilitators rather than access to the full global financial infrastructure.

Chainalysis’s temporal analysis reveals a surprising pattern: large thefts follow a laundering window of approximately 45 days. During this period, funds pass through different phases, from immediate obfuscation to final integration. Although not universal, the consistency of this timeline across multiple operations suggests highly standardized processes.

Artificial intelligence as a cybercrime superpower

How does North Korea execute this scale of operations with such precision? The answer, according to Andrew Fierman, head of national security intelligence at Chainalysis, points to a key factor: artificial intelligence.

“North Korea facilitates cryptocurrency laundering with a consistency and fluidity indicative of AI use,” he explained. The laundering mechanism structures funds through mixers, bridges, and protocols from the initial stages, creating a workflow that combines multiple conversion tools.

“To achieve this level of efficiency in stealing such large volumes, North Korea needs a massive laundering network along with optimized mechanisms, which likely manifest in the use of AI.”

This is not technological paranoia. It is an observation about operational infrastructure: the speed of conversion, the accuracy of amounts, temporal consistency, and operational security sophistication align with intelligent automation.

A polarized cyber threat landscape

Meanwhile, the rest of the crypto criminal landscape shows an interesting contrast. Individual wallet compromises accounted for only 20% of the total stolen value in 2025, down from 44% in 2024. Although the number of incidents against individual users increased to 158,000, the average value per victim fell 52% to a total of US$713 million.

Translation: attackers are targeting more people but stealing less from each.

North Korea is at the opposite end of the spectrum: massive and rare but catastrophic thefts. Most groups operate where there is volume of small targets. North Korean actors operate where the impact is maximized.

What this means for the future

As 2025 closes and we move into 2026, North Korea’s efforts in crypto hacking show no signs of slowing down. Data suggest an increasingly polarized threat environment: low-value thefts from individuals on one end, rare but devastating breaches at the service level on the other, with North Korea firmly at the center of the latter.

For compliance and law enforcement teams, these findings offer a beacon: the 45-day laundering window provides a temporary opportunity to intercept funds before their final conversion. But it requires rapid coordination among platforms, jurisdictions, and specialized analysts.

For cryptocurrency platforms, the message is clear: when the attacker is a nation-state with industrial cybersecurity resources and access to artificial intelligence, conventional defenses may not be enough.