Average stolen value per victim was highest in the UAE and the United States in the first half of 2025, suggesting high-value targets or fewer but larger thefts in those regions.
One single hack (Bybit, ~$1.5 billion) accounted for a huge share of 2025 theft totals — illustrating how individual incidents can dominate statistics.
Top three hacks account for 69% of losses as outliers reach 1,000 times the median
Top Countries With High Victim Counts
In terms of victim counts and geographic reach, mid-2025 data show stolen crypto victims concentrated in:
United States
Germany
Russia
Canada
Japan
Indonesia
South Korea
Eastern Europe / MENA regions saw rapid growth in theft rates.
Stolen fund activity has always been outlier-driven, with most hacks relatively small and some immense. But 2025 reveals a striking escalation: the ratio between the largest hack and median of all incidents has crossed the 1,000x threshold for the first time. Funds stolen in the largest attacks are now 1,000 times larger than those stolen in the typical incident, surpassing even the 2021 bull market peak. These calculations are based on the USD values of funds stolen at the time of their theft.
According to Chainanalysis personal wallet compromises now account for 20% of all value stolen in 2025, down from 44% of the total in 2024, representing an evolution in both scale and pattern. Total theft incidents surged to 158,000 in 2025, nearly triple the 54,000 recorded in 2022. Unique victims increased from 40,000 in 2022 to at least 80,000 in 2025. These dramatic increases are likely due to greater crypto adoption. For example, Solana, one of the blockchains with the greatest number of active personal wallets, had by far the largest number of incidents (~26,500 victims).
Today at the United Nations, the United States joined other members of the Multilateral Sanctions Monitoring Team (MSMT) to highlight their recent report. First released in October, the report focuses on the Democratic People’s Republic of Korea’s (DPRK) violations and evasions of UN sanctions through illicit cyber and information technology worker activities.
This MSMT report finds that the DPRK routinely violates UN Security Council resolutions through malicious cyber and IT worker activities. These activities generate revenue for the DPRK’s unlawful weapons of mass destruction (WMD) and ballistic missile programs.
The MSMT report is an unprecedented effort that exposes DPRK sanctions violations, with 140 pages of previously non-public information from 11 UN member states participating in MSMT and nine private sector companies. The report is available at the MSMT website.
The DPRK continues to engage in malicious cyber operations. In the three months since the report’s release, the DPRK has stolen an additional $400 million in cryptocurrency, bringing the total stolen in 2025 to more than $2 billion.
DPRK cyber units target defense companies in North America, Europe, and Asia, and critical infrastructure worldwide to steal sensitive information and intellectual property for WMD and ballistic missile development.
The DPRK cyber program has reached a level of sophistication approaching that of China and Russia and poses a serious, pervasive threat to the United States and the international community.
The report identifies over 40 countries and territories that have either been targeted by or involved in DPRK’s malicious cyber activity and IT worker activities.
DPRK cyber actors have victimized the cryptocurrency industry, stealing at least $2.8 billion from Jan. 2024 – Sept. 2025 from cryptocurrency companies and customers all over the world, including in the United States, through over 40 cryptocurrency heists named in the MSMT report.
DPRK national and foreign facilitator networks in China, Russia, Cambodia, Vietnam, and the UAE assist in laundering and procurement.
The DPRK has IT workers operating in at least eight countries, including China, Russia, Laos, Cambodia, Equatorial Guinea, Guinea, Nigeria, and Tanzania.
Most known DPRK IT workers are based in China (1,000 – 1,500); plans exist to send up to 40,000 laborers, including IT workers, to Russia.
DPRK IT workers are increasingly engaged in malicious cyber activities including cryptocurrency theft and data extortion.
The DPRK regularly relies on Chinese infrastructure and financial institutions; at least 19 Chinese banks have been used to launder funds.
Over-the-counter traders in China are key to converting stolen cryptocurrency into fiat currency.
Â
Compared to other stolen fund actors, the DPRK shows clear preferences for certain laundering touchpoints:
DPRK hackers tend to strongly prefer:
- Chinese-language money movement and guarantee services (+355% to +1000%+): Their most distinctive characteristic, showing heavy reliance on Chinese-language guarantee services and money laundering networks comprised of many different laundering operators that may have weaker compliance controls
- Bridge services (+97% difference): Heavy reliance on cross-chain bridges to move assets between blockchains and attempt to complicate tracing
- Mixing services (+100% difference): Greater use of mixing services to attempt to obscure the flow of funds
- Specialized services like Huione (+356%): Strategic use of specific services that facilitate their laundering operations
Other stolen fund actors tend to strongly prefer:
- Lending protocols (-80% difference): DPRK avoids these DeFi services, showing limited integration with the broader DeFi ecosystem
- No KYC exchanges (-75% difference): Surprisingly, other threat actors use KYC-free exchanges more than DPRK
- P2P exchanges (-64% difference): DPRK shows limited interest in peer-to-peer platforms
- Centralized exchanges (-25% difference): Other criminals display more direct interactions with conventional exchange platforms
- Decentralized exchanges (DEXs) (-42% difference): Other threat actors strongly prefer DEXs for their liquidity and pseudonymity
Â