Crypto Hackers Stole $3.4B in 2025 as North Korea Dominates Attacks

Cryptocurrency hackers made off with $3.4 billion in 2025, pushing total stolen digital assets past $17 billion since 2020, according to a new security white paper from institutional custody provider Fireblocks.

The numbers paint a stark picture: North Korea‘s Lazarus Group now accounts for roughly three-quarters of all attacks on crypto platforms. Their operations average nearly five times the haul of other threat actors, with DPRK-linked hackers responsible for over $2 billion of last year’s losses alone.

Crime Goes Corporate

What‘s changed isn’t just the scale—it‘s the sophistication. These aren’t basement hackers anymore. Theyre running what amounts to criminal enterprises with business development teams, revenue targets, and customer service.

The emergence of “Drainer-as-a-Service” platforms has democratized crypto theft. Developers build turnkey wallet-draining kits and license them to non-technical affiliates on revenue-share deals. Think SaaS, but for stealing your tokens. These groups compete for market share like legitimate software companies.

Fireblocks identified three primary threat categories in their analysis: state-sponsored operations (primarily DPRK), commoditized crime-as-a-service offerings, and the perennial insider threat from employees and contractors with legitimate access.

Why Crypto Security Differs From Traditional IT

Here‘s the uncomfortable truth that makes digital asset security fundamentally different: attackers only need to win once. When a malicious transaction hits blockchain finality, those funds are gone. There’s no IT team restoring from backup, no insurance claim that makes you whole.

“Nearly all digital asset theft incidents stem from actions that were ‘technically authorized’ by weak policies,” the Fireblocks report states. A stolen credential combined with lax governance equals permanent loss.

The company, which claims to have secured over $10 trillion in digital asset transfers across 550 million wallets, advocates for what they call an “Assume Breach” architecture. Multiple independent security layers must protect funds even when individual components get compromised.

Practical Defense Layers

The white paper outlines several critical controls. A cryptographically enforced policy engine sits at the core—ensuring stolen credentials alone cant authorize transfers. Transaction clarity features decode complex smart contract interactions into readable actions, killing “blind signing” scenarios where approvers unknowingly authorize malicious unlimited token approvals.

This layered approach mirrors broader cybersecurity trends. Recent industry data shows identity misuse—stolen credentials and privilege abuse—factors into over 80% of ransomware operations. Backups, often considered the last line of defense, get compromised in 39% of incidents.

The timing of Fireblocks report coincides with heightened cyber pressure across sectors. Google flagged sustained attacks on defense industrial bases from Russia and China-linked actors this week, while the FCC urged communications providers to strengthen ransomware defenses.

What This Means for Institutions

For institutional players managing client funds, the message is clear: point solutions wont cut it against adversaries running professional operations. The Fireblocks framework suggests every identified threat vector should face at least three independent protection layers.

With the total crypto market cap sitting at $2.34 trillion, the $17 billion stolen since 2020 represents a meaningful percentage of industry value. As threats continue evolving, security architecture that assumes eventual compromise—rather than hoping to prevent it entirely—may be the only realistic approach.