In 2025, North Korea-linked hackers stole more than $2 billion in cryptocurrencies, more than any previous year on record, while global law enforcement recovered $439 million and arrested hundreds of money launderers in 40 countries in a single four-month operation.
The clash between record state-sponsored robberies and coordinated multilateral crackdowns raises more poignant questions than whether crypto crime has gotten out of control. Are attackers hitting a plateau, or are they learning how to bypass all the new government checkpoints?
The answer will determine financial policy, bridging security budgets, and the viability of privacy protection infrastructure. If law enforcement reduces illicit flows, the industry can rely on improved KYC, sanctions, and chain analysis to manage risk.
Assume that attackers adapt by hopping the chain, fragmenting cashouts, and exploiting jurisdictions with weak travel rule implementations. In that case, your defense stack will require architectural changes as well as increased compliance.
New Heist Stack: AI and Bridge Exploits
The February 2025 Bybit breach defined the scale of the year. The FBI attributed the $1.5 billion theft to North Korea’s Lazarus group, also known as the TraderTraitor cluster, a multi-year spear-phishing and malware campaign targeting blockchain developers and operations teams.
The attackers distributed the Trojanized trading application through a supply chain compromise and gained access to the hot wallet signing infrastructure.
TRM Labs documented subsequent laundering. Instant swaps to native assets, bridge hops to Bitcoin and Tron, and hierarchical mixing between obscure protocols.
Chainalysis’s mid-year update shows service losses of more than $2.17 billion as of June 30, with the majority of that being due to Bybit theft.
Elliptic’s October briefing notes that North Korea-related actors alone have totaled more than $2 billion and that “the complexity of laundering is escalating in response to increased tracking.”
The Japanese National Police Agency and the U.S. Department of Defense Cyber Crime Center jointly linked $308 million in DMM Bitcoin losses at the end of 2024 to the same TraderTraitor infrastructure.
Japan’s Ministry of Foreign Affairs released a 2025 summary of 18 months of North Korean cybertheft techniques, laundering routes, and specific incidents, establishing attribution criteria that relies on malware families, infrastructure overlap, and on-chain heuristics confirmed by multiple intelligence agencies.
The attack surface is moving from Exchange hot wallets to bridge and validator operations, where a single point of failure unlocks flows at scale.
Elliptic’s 2025 Cross-Chain Crime Report measured how often stolen assets now pass through three, five, and even 10 or more chains, making them difficult to trace.
Andrew Fierman, director of national security intelligence at Chainalysis, explained this evolution in a memo:
“North Korean launderers are constantly changing their laundering and evasion tactics mechanisms to avoid disruption.”
He added that the mixer remains in the toolkit because Tornado Cash is once again seeing flows of North Korea-related funds after the Treasury Department removed the sanctions designation in March 2025 following a court setback. However, the composition of the venue continues to change.
After Blender and Sinbad were sanctioned, the tide shifted to cross-chain decentralized exchanges, USDT corridors, and over-the-counter brokers in Southeast Asia.
Interpol and its friends operate multilaterally
Enforcement expanded to 2025. Interpol’s Operation Hechi VI, which ran from April to August, recovered $439 million in 40 countries, including $97 million in virtual assets.
The coordinated sting operation followed HAECHI V in 2024, which set records for arrests and seizures. Europol continued parallel actions against infrastructure laundering and cryptocurrency fraud networks throughout the year.
The Financial Action Task Force’s June 2025 update reveals that implementation of the Travel Rule has reached 85 jurisdictions and guidance for supervisors enhances cross-border information sharing.
These are significant headwinds for cashout networks that relied on fragmented compliance regimes.
Sanctions and criminal cases now target not only hackers but also intermediaries. The Office of Foreign Assets Control’s July 2025 actions hit North Korea’s IT workers’ sources of income, while the Justice Department indicted and confiscated North Korean operatives on charges of cryptocurrency theft and currency laundering.
Prosecutors forced the operators of Samurai Wallet to plead guilty, and Wasabi’s coordinator was shut down in 2024.
The result is fewer large, centralized laundering hubs and more fragmented cross-chain obfuscation.
Regarding the tactical response, Fiermann said:
“Enhanced know-your-customer due diligence by exchanges could help disrupt mule accounts, mixer sanctions could ultimately drive actors to alternative platforms with potentially less liquidity to facilitate large-scale laundering, and stablecoin issuers’ ability to freeze assets at any point in the supply chain could all help disrupt North Korean laundering operations.”
North Korea as a virtual currency enemy
Attribution standards combine on-chain forensics with signals intelligence and malware analysis.
The FBI publicly confirmed Bybit’s attribution in February 2025, and multiple media outlets and Japan’s Ministry of Foreign Affairs consolidated evidence linking TraderTraitor to previous thefts.
Target selection is moving toward exchanges, bridges, and validator channels where operational security failures derive the most value.
According to Chainalysis data, losses in 2025 were concentrated in service-level compromises rather than individual wallet compromises, reflecting attackers’ shift to high-leverage infrastructure targets.
Laundering patterns now routinely pass through USDT corridors and OTC exit ramps outside of highly regulated areas. A 2024 Reuters investigation tracked Lazarus-related flows into payment networks in Southeast Asia.
Chainalies and Elliptic document a steady decline in direct exchange cashouts, from about 40% of fraudulent transfers in 2021-22 to about 15% by mid-2025, and a corresponding increase in complex multi-hop routing that blends decentralized exchange swaps, bridges, and cashier networks.
Mr. Fiermann explained jurisdictional arbitrage as follows:
“North Korea will seek to adjust its mechanisms, such as leveraging anything from large sources of liquidity for money laundering, such as the Huione Group, as seen recently, or leveraging over-the-counter traders in regions that are not willing to comply with regulatory requirements or have weaker regulations in their jurisdictions.”
Does execution dent or shift the flow?
The short-term answer is both. According to Chainalysis research, direct money transfers from illegal organizations to exchanges will decline to around 15% in the second quarter of 2025, suggesting that screening, sanctions, and exchange cooperation are effective.
However, these actions drain cash to tiered cross-chain hops and payment processors outside of the most stringent regimes.
FATF’s 2025 data shows that while travel rules are in place in most major hubs, enforcement is uneven, and unevenness is precisely where new laundering corridors form.
There is real friction on the enemy side. Interpol operations and state actions have frozen larger illicit balances, and private entities have publicized freezes and seizures, highlighting a broader risk-aversion trend that increases North Korea’s money laundering costs.
Stablecoin issuers can freeze assets at any point in the supply chain, a power that concentrates risk with centralized issuers but increases the likelihood of recovery if exercised quickly. The question is whether friction builds up faster than an attacker can avoid it.
What should builders and financial managers do next?
Treat a North Korea-style intrusion as a business risk scenario, not a black swan.
The US TraderTraitor advisory provides practical mitigation measures, including strengthening recruitment pipelines and vendor access, requiring code signature verification for tools, limiting hot wallet budgets, and automating withdrawal speed limits.
It is also recommended to rehearse an incident handbook that includes immediate address screening, bridge stop policies, and law enforcement escalation paths.
Casework shows that early freezing, rapid tracking of KYC compliance, and exchange cooperation greatly increase the chances of recovery.
For capital routes, we will apply a whitelist of pre-approved bridges and decentralized exchanges with business justification, and extend travel rule-enabled screening to Treasury travel to avoid backflow of contamination.
Chain analytics vendors are publishing a new typology of red flags for cross-chain laundering. Incorporating this into your monitoring allows alerts to tune into bridge hops and native asset pivots, not just traditional mixer tags.
Philipp Zentner, founder of Li.Fi, argued that on-chain kill switches face a trade-off between centralization and responsiveness. He explained in his memo:
“A pure on-chain solution without a centralized actor is highly unlikely. Anything that is uncurated can be exploited, and anything that is too open can even be used by hackers themselves. By the time DEX aggregators and bridges are contacted about hackers, it is often already too late.”
He added that a centralized solution has a much better chance of success at this point. This candor reflects the reality that decentralized protocols lack the coordination layer needed to stop the propagation of theft in real time without incurring the risks of human centralization.
peaking or adaptation
The compounding situation is that the crackdown has increased the cost and complexity of laundering, but has not deterred theft.
In 2025, North Korea-linked criminals committed more theft than in any previous year, but they are now forced to go through 10 chains, exchange money through obscure pairs, and rely on regional OTC brokers instead of exchanging cash directly at major exchanges.
While this is an advance for defenders, with detection heuristics, cluster analysis, and cross-border collaboration at work, it is also evidence that attackers are adapting faster than regulators can coordinate.
The test in 2026 will be whether the next round of enforcement, including tighter travel rules, more aggressive stablecoin freezes, and continued multilateral action, compress the money laundering envelope enough that sophisticated state actors face prohibitive frictions.
Or whether it will penetrate deep into jurisdictions with weak oversight and continue to fund its operations through crypto theft.
The answer will determine whether the industry can rely on compliance as a core defense, or whether architectural changes are needed to strengthen bridges, limit exposure to hot wallets, and build better incident response coordination into the protocols themselves.