North Korea-linked hackers just posted their biggest crypto theft year on record, turning 2025 into a warning that a handful of state-backed strikes can still overwhelm even well-funded defences.

Chainalysis said in its Crypto Crime Report published Thursday that the industry lost more than $3.4B to theft from January through early Dec. 2025, with a single March compromise of Bybit accounting for $1.5b.

Within that total, the Democratic People’s Republic of Korea (DPRK) remained the dominant threat actor by value. Chainalysis put DPRK-linked theft at at least $2.02B in 2025, up 51% year-on-year, and said those attacks accounted for a record 76% of all service compromises.

The lower-bound cumulative estimate for DPRK crypto theft now stands at $6.75B.

Image Source: Chainalysis

This jump came even as investigators assessed fewer confirmed incidents, a sign that a small number of hits now do more damage than a long list of smaller breaches.

Embedded IT Workers Enable High-Impact Breaches

Chainalysis said the top three hacks in 2025 made up 69% of all service losses, and the largest incident crossed 1,000 times the median theft for the first time.

One driver is access. Chainalysis said DPRK-linked actors increasingly embed IT workers inside crypto services to gain privileged access, then use that foothold to enable high-impact compromises across exchanges, custodians and Web3 firms.

The report also framed private key compromises as a recurring fault line for centralized platforms, where rare failures still dominate the loss tally when they happen.

Chainalysis said private key compromises drove 88% of losses in the first quarter of 2025, even at firms with institutional resources and professional security teams.

At the same time, the personal-wallet problem grew wider, even as the average hit got smaller.

South Korean Probe Links Solana Wallet Breach To DPRK Actors

South Korean officials and several cybersecurity firms believe the Nov. 2025 breach of Upbit’s Solana hot wallet was carried out by Lazarus, North Korea’s state-backed hacking group, in an attack that siphoned roughly 44.5 billion won, or about $30 to $36 million, in Solana-based tokens.

Chainalysis estimated theft incidents surged to 158,000 in 2025 with at least 80,000 victims, and said the total stolen from individuals fell to $713 million, suggesting attackers targeted more users for less per victim.

When DPRK-linked funds move, they often move with discipline. Chainalysis described a structured, multi-wave laundering pathway that typically unfolds over roughly 45 days after major hacks, starting with rapid layering, then integration through selected venues, and finishing with conversion-focused touchpoints.

It also flagged distinctive operational choices, including heavy use of Chinese-language money movement and guarantee services, plus strong reliance on bridges and mixing services, while showing less interest in lending protocols and P2P venues than other stolen-fund actors.

Even the on-chain “shape” looks different. Chainalysis said DPRK laundering concentrates slightly over 60% of volume below $500,000 per transfer, while other actors more often send funds in $1M to $10M plus tranches, a pattern it framed as a sign of sophisticated structuring.

The post North Korea-Linked Crypto Thefts Top $2B In 2025, All-Time Haul Reaches $6.75B appeared first on Cryptonews.

A crypto whale has watched a supposedly hardened multisig wallet turn into a single point of failure, after a private key compromise let an attacker siphon about $27.3M and start washing funds on-chain.

PeckShield flagged the incident in an X alert, observing on Thursday that “a whale’s Multisig was drained of ~$27.3M due to a private key compromise.”

On-chain traces shared by the security firm show the drainer routing a large chunk of the haul through Tornado Cash, a privacy mixer often used to break transaction links.

PeckShield said the attacker had already laundered about $12.6M, roughly 4,100 ETH, and still held around $2M in liquid assets.

Multisig Control Turns Active Aave Position Into Live Risk

The breach also came with a live tail risk. PeckShield said the attacker now controls the victim’s multisig, which still holds a leveraged long on Aave, with about $25M in ETH supplied against roughly $12.3M in DAI borrowed.

That detail matters because multisig setups do not automatically protect funds if an attacker can meet the signing threshold, or if the wallet’s governance is effectively captured through compromised keys and approvals.

Once the attacker can sign, they can move fast, pull liquidity, and make recovery attempts far harder.

Live Positions Turn Key Theft Into Cascading Risk

Data shows repeated outflows to Tornado Cash in round lots, the sort of pattern traders associate with systematic laundering rather than a one-off panic exit.

They also point to the attacker interacting with contracts tied to ownership and control, suggesting the compromise extended beyond a single transfer.

Teams can distribute signing keys and still lose them to phishing, malware, SIM swaps, unsafe backups, or rushed approvals on malicious transaction prompts.

It also points to a second-order risk specific to DeFi power users. The wallet is not just a vault but a control plane for live positions. Once an attacker gains access to collateral, borrow lines or health factors, the damage can cascade well beyond the initial drain.

The post Whale Multisig Breached After Private Key Compromise Drains $27M appeared first on Cryptonews.