North Korea-linked actors were responsible for roughly $2.06 billion in cryptocurrency theft in 2025, equal to about 60% of all reported losses that year, according to CertiK analysis. The concentration of losses shows state-linked crypto theft becoming a dominant custody and counterparty-risk factor for exchanges, trading desks and institutional treasuries.
CertiK estimated total crypto theft in 2025 at about $3.4 billion, meaning North Korea-linked activity accounted for the majority of losses. Chainalysis produced a similar estimate of about $2.02 billion, placing North Korea’s cumulative crypto theft above $6.7 billion since 2016.
A Few Large Attacks Drove the 2025 Losses
The biggest driver was the February 2025 Bybit exploit, which caused roughly $1.46 billion in losses. That single incident accounted for most of the year’s North Korea-linked theft tally, underscoring how a small number of high-impact breaches can reshape annual loss figures.
CertiK described the actors’ methods as an “industrialized approach,” combining cyber operations with illicit finance techniques. The phrase captures a shift toward repeatable, high-value attack playbooks designed to extract large amounts from centralized services and move funds through complex laundering channels.
The 2025 pattern was defined by fewer but larger attacks, especially against centralized platforms. That raises the risk of concentrated counterparty exposure, where one custodian, exchange or service provider failure can affect liquidity and solvency assumptions across multiple firms.
Trading desks and corporate treasuries should therefore reassess custodial relationships, exchange exposure and concentration limits. The core operational lesson is not to treat large centralized venues as low-friction but low-risk infrastructure.
Custody and Sanctions Controls Move Up the Priority List
The trend continued into early 2026, with some datasets reporting about $577 million in additional related thefts year-to-date. Several 2026 protocol breaches also showed attackers remain active across both centralized and smart-contract surfaces.
When a single exploit concentrates hundreds of millions of dollars in stolen assets, the effect can extend beyond the victim. Liquidity can tighten, derivatives positioning can shift and funding rates or token-specific depth can deteriorate as markets digest the loss.
The response should include tighter counterparty due diligence, improved reconciliation processes and clearer withdrawal controls. Firms also need rapid freeze and coordination protocols with custodians, exchanges, stablecoin issuers and law-enforcement partners.
On-chain tracing and sanctions screening are now core controls for incoming flows. Institutions managing large token inventories should treat industrialized state-linked theft as a recurring operational risk, not as an exceptional event.
The pace of recovery will depend on security-firm monitoring, chain analytics and coordinated enforcement. Until stolen funds can be traced or neutralized more quickly, custody architecture and counterparty selection will remain front-line defenses against state-linked crypto theft.
