North Korea-linked hackers stole more than half of the over $2.7 billion taken in cryptocurrency hacks in 2025, as the country’s cyber operators increasingly targeted the operational infrastructure of major exchanges and outsourced the “cash-out” stage to a web of Chinese underground brokers, blockchain intelligence firm TRM Labs said.
TRM said the biggest losses in 2023–2025 were increasingly tied to “infrastructure attacks” such as hot-wallet and key compromises, multi-signature signer compromises and front-end or third-party takeovers, rather than smart-contract bugs or novel protocol exploits.
The shift reflects a move “upstream” from decentralized finance bridges toward centralized exchanges and custodial service providers, where single points of failure can yield nine-figure thefts, TRM said.
It attributed several marquee 2023 hacks, including Atomic Wallet, CoinsPaid, Alphapo, Stake.com and CoinEx, and subsequent centralized exchange “mega-heists” to North Korea, arguing the targeting is more susceptible to social engineering and web2 supply-chain abuse.
In 2021–2022, North Korea’s playbook focused on cross-chain bridges such as Ronin and Horizon by compromising centralized “trust points” like validators holding keys, TRM said.
By 2023, the focus widened to service providers, with initial access often gained via fake recruiters, LinkedIn credential theft or “coding tests” delivering malware that harvests developer credentials and cloud tokens.
TRM said it observed similar access pathways in the Bybit and DMM Bitcoin compromises, reinforcing what it calls a “code to custody” risk: compromised developer environments can become the shortest route to exchange-level keys and withdrawal authorization systems.
The most consequential evolution, TRM said, has been in laundering.
After sanctions designations against mixers such as Tornado Cash and later Sinbad, laundering “fragmented” into chain-hopping, bridges, gambling platforms, and rebranded services, before moving off-chain into what investigators describe as a “Chinese Laundromat” of OTC brokers, underground bankers and trade-based laundering intermediaries.
Stablecoins, especially USDT on Tron, have become a preferred intermediary for off-ramping, TRM said, with professional money-laundering organizations buying hacked crypto at a discount and settling off-chain in yuan, goods or payments to front companies.
For exchanges, TRM said, cyber defenses and anti-money-laundering controls are converging, requiring multi-chain monitoring and typology-based detection beyond static blocklists.