The first half of 2025 has witnessed unprecedented levels of cryptocurrency theft, with over $2.17 billion stolen from crypto services—already approaching 2024’s total losses, according to the latest Chainalysis Report. This surge is largely attributed to the DPRK $1.5 billion ByBit hack, the largest single cryptocurrency theft in history.
Key findings
Stolen funds
With over $2.17 billion stolen from cryptocurrency services so far in 2025, this year is more devastating than the entirety of 2024. The DPRK’s $1.5 billion hack of ByBit, the largest single hack in crypto history, accounts for the majority of service losses.
By the end of June 2025, 17% more value had been stolen year-to-date (YTD) than in 2022, previously the worst year on record. If current trends continue, stolen funds from services could eclipse $4 billion by year’s end.
Personal wallet compromises now represent a growing share of total ecosystem theft, with attackers increasingly targeting individual users, making up 23.35% of all stolen fund activity YTD in 2025.
“Wrench attacks” — physical violence or coercion against crypto holders — show correlation with bitcoin price movements, suggesting opportunistic targeting during high-value periods.
Geographic trends
So far in 2025, significant concentrations of stolen fund victims have emerged in the U.S., Germany, Russia, Canada, Japan, Indonesia, and South Korea.
Regionally, Eastern Europe, MENA, and CSAO saw the most rapid H1 2024 to H1 2025 growth in victim totals.
Notable differences in the type of asset stolen have also emerged between regions, possibly reflecting the underlying pattern of regional adoption of crypto assets.
Laundering behavior
Some differences emerge in comparing the laundering of funds stolen from services vs. individuals. Overall, threat actors who have compromised services tend to exhibit higher levels of sophistication than those targeting personal wallets.
Stolen fund launderers consistently overspend to move funds, with average premiums fluctuating from 2.58x in 2021 to 14.5x YTD in 2025.
Interestingly, while the average cost in dollars to move stolen funds has declined over time, the multiple over the average cost to move funds on chain has increased.
Threat actors compromising personal wallets increasingly leave larger balances of stolen funds on-chain rather than immediately laundering stolen assets.
Thefts targeting personal wallets currently hold $8.5 billion in crypto on-chain, while funds taken from services amount to $1.28B.
The shifting illicit landscape
Illicit volumes thus far in 2025 are on track to meet or even exceed last year’s estimated $51 billion, despite significant changes to the illicit actor landscape. The closure of Garantex, a sanctioned Russian exchange, and the likely FinCEN Special Measures designation of Huione Group — a Cambodia-based Chinese language service that has processed over $70 billion in inflows — have reshaped how criminals move money through the ecosystem.
Amid this shifting landscape, stolen fund activity stands out as the dominant concern in 2025. While other forms of illicit activity have shown mixed trends YoY, the surge in cryptocurrency thefts represents both an immediate threat to ecosystem participants and a long-term challenge for the industry’s security infrastructure.
Funds stolen from services: A record-breaking trajectory
The cumulative trend in value taken from services paints a stark picture of 2025’s escalating threat environment. The orange line, which represents 2025’s YTD activity, shows a dramatically steeper trajectory into June than any previous year in our dataset, climbing past the $2 billion mark within the first half of the year.
What makes this trend particularly alarming is its velocity and consistency. While 2022 — previously the worst year on record according to our data — required 214 days to crack $2 billion in value stolen from services, 2025 achieved comparable theft volumes in just 142 days. The 2023 and 2024 trend lines show more moderate, steady accumulation patterns.
Currently, 2025 is 17.27% worse than 2022 at the end of June. If this trend continues, we could see 2025 end with more than $4.3 billion stolen from services alone.
The ByBit breach: A new benchmark for cybercrime
The DPRK’s ByBit hack fundamentally altered the 2025 threat landscape. At $1.5 billion, this single incident not only represents the largest crypto theft in history, but also accounts for approximately 69% of all funds stolen from services this year. The sophistication and scale of this attack underscore the evolving capabilities of state-sponsored threat actors in the crypto space, and comes after a notable slowdown in the second half of 2024.
This mega-breach fits within a broader pattern of North Korean cryptocurrency operations, which have become increasingly central to the regime’s sanctions evasion strategies. Last year, known DPRK-related losses totaled $1.3B (heretofore the worst year on record), making 2025 already by far their most successful year to date.
The attack methodology appeared to leverage advanced social engineering tactics similar to those documented in previous DPRK operations, including the infiltration of crypto-related services through compromised IT personnel. This approach has proven devastatingly effective, with Western tech firms having unknowingly hired thousands of North Korean workers, according to recent UN reporting.
Personal wallets: The underdocumented frontier for crypto crime
Chainalysis has developed new methodologies to identify and trace theft activity originating from personal wallets, a category of illicit activity that is by nature underreported but increasingly significant. This enhanced visibility reveals troubling trends in how attackers are diversifying their targets and tactics over time.
Personal wallet compromises make up a growing share of total ecosystem value stolen over time, as reflected in the chart below. The emergence of this trend likely reflects several factors:
Breaking down the value stolen from personal wallets by asset is also revealing, shown in the chart below. Three key trends emerge from this expanded view. First, bitcoin theft accounts for a substantial share of stolen value. Second, the average loss resulting from compromised personal wallets storing bitcoin has increased over time, suggesting attackers are deliberately targeting higher-value individual holdings. Third, the number of individual victims is increasing on non-Bitcoin and non-EVM chains like Solana.
In total, these factors suggest that, while bitcoin holders are less likely to fall victim to targeted theft than individuals holding assets on chains, bitcoin holders experience more catastrophic losses in terms of value taken. The forward-looking implication is that, if the value of native assets increases, the value compromised from personal wallets will also likely rise.
The violence factor: When digital crime turns physical
One particularly disturbing subset of personal wallet theft incidents involves so-called “wrench attacks,” whereby attackers use physical violence or coercion against individuals to access their crypto holdings. Per the chart below, it is clear that 2025 is well on track to have potentially twice as many physical attacks as the next highest year on record. It is also worth noting that, since many attacks go unreported, the true number of such incidents is likely far higher.
Our analysis reveals a clear correlation between these violent incidents and a forward-looking moving average of bitcoin’s price, suggesting that the future increase in asset values (and the perception of its future upward movement) may trigger additional opportunistic physical attacks against known crypto holders. Overall, while these violent attacks remain comparatively rare, the physical dimension — including maiming, kidnapping, and homicide — elevates the human impact of these cases to an extraordinary degree, as we will explore in the following case study.
Geographic patterns: Victimization around the world
Leveraging Chainalysis’ geolocation data intersected with reported cases of stolen funds, we can estimate the global distribution of personal wallet victimizations. Note: these data include only known stolen fund events affecting personal wallets that have reliable geolocation data. They are therefore not a comprehensive view of all global stolen fund activity in 2025.
So far in 2025, the U.S., Germany, Russia, Canada, Japan, Indonesia, and South Korea top the list of highest victim counts per country, whereas Eastern Europe, MENA and CSAO saw the most rapid H1 2024 to H1 2025 growth in victim totals.
A somewhat divergent list of countries emerges when plotting the value stolen per victim in 2025. As shown in the chart below, the U.S., Japan and Germany remain in the top 10, but the UAE, Chile, India, Lithuanian, Iran, Israel, and Norway have some of the highest victimization severity rates globally.
Looking ahead: A critical inflection point
The crypto industry stands at a critical inflection point. The same transparency that enables unprecedented criminal behavior analysis also provides the tools for more effective prevention and enforcement. The challenge lies in implementing these capabilities quickly enough to stay ahead of rapidly evolving threats.
As we move into the second half of 2025, the stakes for cryptosecurity have never been higher. With stolen funds projected to potentially reach $4 billion by year’s end, the industry’s response in the coming months will likely determine whether crypto crime continues its concerning trajectory or begins to plateau as defensive measures mature.
More details here: 2025 Crypto Crime Mid-year Update
Banking 4.0 – „how was the experience for you”
„To be honest I think that Sinaia, your conference, is much better then Davos.”
Many more interesting quotes in the video below:
