North Korea-linked hackers stole more than $2 billion in cryptocurrency in 2025, surpassing every prior year on record, while global law enforcement recovered $439 million and arrested hundreds of money launderers across 40 countries in a single four-month operation.
The collision of record state-sponsored heists and coordinated multilateral enforcement raises a sharper question than whether crypto crime is out of control: are attackers hitting a ceiling, or are they learning to route around every new checkpoint governments deploy?
The answer shapes treasury policies, bridge security budgets, and the viability of privacy-preserving infrastructure. If enforcement dents illicit flows, the industry can rely on improved KYC, sanctions, and chain analytics to manage risk.
Suppose attackers adapt by hopping chains, fragmenting cash-outs, and exploiting jurisdictions with weak adoption of the travel rule. In that case, the defensive stack needs architectural changes, not just better compliance theater.
The new heist stack: AI plus bridge exploits
The February 2025 Bybit breach set the scale for the year. The FBI attributed the $1.5 billion theft to North Korea’s Lazarus Group, also known as the TraderTraitor cluster, a multi-year spear-phishing and malware campaign targeting blockchain developers and operations teams.
The attackers delivered trojanized trading applications through supply-chain compromises, gaining access to hot-wallet signing infrastructure.
TRM Labs documented the subsequent laundering: immediate swaps into native assets, bridge hops to Bitcoin and Tron, then layered mixing across obscure protocols.
Chainalysis’ mid-year update confirmed service losses of over $2.17 billion by June 30, with the Bybit theft accounting for the majority.
Elliptic’s October brief raised the total to over $2 billion attributed to DPRK-linked actors alone, noting “escalating laundering complexity in response to better tracing.”
The Japan National Police Agency and the US Department of Defense Cyber Crime Center jointly tied the $308 million DMM Bitcoin loss to the same TraderTraitor infrastructure in late 2024.
Japan’s Foreign Ministry published a 2025 compendium consolidating DPRK cyber-theft methods, laundering routes, and specific incidents over 18 months, establishing attribution standards that rely on malware families, infrastructure overlaps, and on-chain heuristics confirmed by multiple intelligence agencies.
The attack surface has shifted from exchange hot wallets to bridges and validator operations, where single-point failures unlock massive flows.
Elliptic’s 2025 cross-chain crime report measured how often stolen assets now traverse more than three, five, or even ten chains to frustrate tracing.
Andrew Fierman, head of national security intelligence at Chainalysis, described the evolution in a note:
“DPRK launderers are perpetually changing mechanisms for laundering and evasion tactics to avoid disruption.”
He added that mixers remain in the toolkit, as Tornado Cash saw renewed DPRK-linked flows after the Treasury withdrew its sanctions designation in March 2025, following court setbacks. However, the venue mix continues to shift.
After Blender and Sinbad were sanctioned, flows moved to cross-chain decentralized exchanges, USDT corridors, and over-the-counter brokers in Southeast Asia.
Interpol and friends go multilateral
Enforcement scaled in 2025. Interpol’s Operation HAECHI VI, which ran from April to August, recovered $439 million across 40 countries, including $97 million in virtual assets.
The coordinated sting followed 2024’s HAECHI V, which set records for arrests and seizures. Europol continued parallel actions against laundering infrastructure and crypto-fraud networks throughout the year.
The Financial Action Task Force’s June 2025 update revealed that the implementation of the travel rule had risen to 85 jurisdictions, with guidance for supervisors tightening cross-border information sharing.
These are material headwinds for cash-out networks that relied on fragmented compliance regimes.
Sanctions and criminal cases now target facilitators as much as hackers. The Office of Foreign Assets Control’s July 2025 actions hit DPRK IT-worker revenue chains, while Department of Justice indictments and forfeitures charged North Korean operatives with crypto theft and laundering.
Prosecutors forced guilty pleas from Samourai Wallet operators, and Wasabi’s coordinator shut down in 2024.
The result is fewer large, centralized laundering hubs and more fragmented, cross-chain obfuscation.
Fierman noted the tactical response:
“Increased Know Your Customer due diligence by exchanges can help disrupt mule accounts, sanctioning of mixers ultimately has driven actors to alternative platforms, which may have less liquidity to facilitate large-scale laundering, and stablecoin issuers’ ability to freeze assets at any point in the supply chain all help disrupt DPRK laundering efforts.”
DPRK as a crypto adversary
Attribution standards combine on-chain forensics with signals intelligence and malware analysis.
The FBI publicly confirmed Bybit’s attribution in February 2025, while multiple outlets and Japan’s foreign ministry consolidated evidence linking TraderTraitor to prior thefts.
Target selection has shifted toward exchanges, bridges, and validator pathways, where operational security failures unlock the maximum value.
Chainalysis data shows that 2025 losses were concentrated in service-level breaches rather than individual wallet compromises, reflecting an attackers’ shift toward high-leverage infrastructure targets.
Laundering patterns now regularly route through USDT corridors and OTC off-ramps outside strict regulatory zones. A 2024 Reuters investigation traced Lazarus-linked flows into a Southeast Asian payments network.
Chainalysis and Elliptic document a steady decline in direct exchange cash-outs, from roughly 40% of illicit transfers in 2021-22 to about 15% by mid-2025, and a corresponding rise in complex, multi-hop routing that blends decentralized-exchange swaps, bridges, and cashier networks.
Fierman described the jurisdictional arbitrage:
“DPRK will seek to adjust mechanisms, as recently seen, using everything from large sources of liquidity for laundering, like Huione Group, or leveraging regional over-the-counter traders that either may not be seeking to comply with regulatory requirements, or have lax regulation in their operating jurisdictions.”
Does enforcement dent flows or relocate them?
The near-term answer is both. Chainalysis finds that direct transfers from illicit entities to exchanges fell to roughly 15% in the second quarter of 2025, implying that screening, sanctions, and exchange cooperation are effective.
Yet, these actions push cash out toward layered cross-chain hops and payment processors outside the strictest regimes.
The FATF’s 2025 data shows that travel rule laws are on the books in most major hubs, but uneven enforcement, and that unevenness is precisely where new laundering corridors form.
There are real frictions on the adversary side. Interpol’s operations and national actions freeze larger slices of illicit balances, and private actors publicize freezes and seizures, underscoring a broader de-risking trend that raises DPRK’s laundering costs.
Stablecoin issuers can freeze assets at any point in the supply chain, a power that concentrates risk in centralized issuers but improves recovery odds when exercised quickly. The question is whether that friction accumulates faster than attackers can route around it.
What builders and treasurers should do next
Treat DPRK-style intrusions as a business-risk scenario, not a black swan.
US TraderTraitor advisories provide practical mitigations, including hardening hiring pipelines and vendor access, requiring code-signing verification for tools, constraining hot-wallet budgets, and automating withdrawal velocity limits.
Additionally, rehearsing incident playbooks that include immediate address screening, bridge-halt policies, and law enforcement escalation paths is also recommended.
The casework indicates that early freezes, rapid KYC-enabled tracing, and exchange cooperation significantly increase the odds of recovery.
For capital routes, apply pre-approved bridge and decentralized-exchange allowlists with business justification, and extend travel-rule-ready screening to treasury movements to avoid taint backflow.
Chain analytics vendors publish fresh red-flag typologies for cross-chain laundering: bake those into monitoring so alerts tune in for bridge hops and native-asset pivots, not just legacy mixer tags.
Philipp Zentner, founder of Li.Fi, argued that on-chain kill switches face a centralization-versus-responsiveness tradeoff. In a note, he explained:
“A pure on-chain solution without a centralized actor is very unlikely to be achievable. Anything that is not curated can be misused, and anything that is too open could also be used by the hacker themselves. When DEX aggregators and bridges are getting contacted about a hacker, it’s often already too late.”
He added that a centralized solution is much more likely to succeed as of today. That candor reflects the reality that decentralized protocols lack the coordination layer necessary to halt the propagation of theft in real-time without introducing the risk of human-driven centralization.
Peaking or adapting
The composite picture is that enforcement raised the cost and complexity of laundering, but didn’t stop the thefts.
DPRK-linked actors stole more in 2025 than in any prior year, yet they’re now forced to route through ten chains, convert through obscure pairs, and rely on regional OTC brokers instead of cashing out directly at major exchanges.
That’s progress for defenders, detection heuristics, cluster analysis, and cross-border cooperation are working, but it’s also proof that attackers adapt faster than regulators harmonize.
The 2026 test will be whether the next round of enforcement with tighter travel rule implementation, more aggressive stablecoin freezes, and continued multilateral actions compresses the laundering window enough that sophisticated state actors face prohibitive friction.
Or, alternatively, whether they route deeper into jurisdictions with weak supervision and continue to fund operations through crypto theft.
The answer will determine whether the industry can rely on compliance as a core defense or needs architectural changes that harden bridges, limit hot wallet exposure, and build better incident-response coordination into protocols themselves.
