Crypto Hackers Stole $3.4B in 2025 as North Korea Dominates Attacks
Jessie A Ellis Feb 12, 2026 04:10
Fireblocks report reveals $17B stolen since 2020, with DPRK's Lazarus Group behind 75% of crypto platform attacks. Defense-in-depth approach now critical.
Cryptocurrency hackers made off with $3.4 billion in 2025, pushing total stolen digital assets past $17 billion since 2020, according to a new security white paper from institutional custody provider Fireblocks.
The numbers paint a stark picture: North Korea's Lazarus Group now accounts for roughly three-quarters of all attacks on crypto platforms. Their operations average nearly five times the haul of other threat actors, with DPRK-linked hackers responsible for over $2 billion of last year's losses alone.
Crime Goes Corporate
What's changed isn't just the scale—it's the sophistication. These aren't basement hackers anymore. They're running what amounts to criminal enterprises with business development teams, revenue targets, and customer service.
The emergence of "Drainer-as-a-Service" platforms has democratized crypto theft. Developers build turnkey wallet-draining kits and license them to non-technical affiliates on revenue-share deals. Think SaaS, but for stealing your tokens. These groups compete for market share like legitimate software companies.
Fireblocks identified three primary threat categories in their analysis: state-sponsored operations (primarily DPRK), commoditized crime-as-a-service offerings, and the perennial insider threat from employees and contractors with legitimate access.
Why Crypto Security Differs From Traditional IT
Here's the uncomfortable truth that makes digital asset security fundamentally different: attackers only need to win once. When a malicious transaction hits blockchain finality, those funds are gone. There's no IT team restoring from backup, no insurance claim that makes you whole.
"Nearly all digital asset theft incidents stem from actions that were 'technically authorized' by weak policies," the Fireblocks report states. A stolen credential combined with lax governance equals permanent loss.
The company, which claims to have secured over $10 trillion in digital asset transfers across 550 million wallets, advocates for what they call an "Assume Breach" architecture. Multiple independent security layers must protect funds even when individual components get compromised.
Practical Defense Layers
The white paper outlines several critical controls. A cryptographically enforced policy engine sits at the core—ensuring stolen credentials alone can't authorize transfers. Transaction clarity features decode complex smart contract interactions into readable actions, killing "blind signing" scenarios where approvers unknowingly authorize malicious unlimited token approvals.
This layered approach mirrors broader cybersecurity trends. Recent industry data shows identity misuse—stolen credentials and privilege abuse—factors into over 80% of ransomware operations. Backups, often considered the last line of defense, get compromised in 39% of incidents.
The timing of Fireblocks' report coincides with heightened cyber pressure across sectors. Google flagged sustained attacks on defense industrial bases from Russia and China-linked actors this week, while the FCC urged communications providers to strengthen ransomware defenses.
What This Means for Institutions
For institutional players managing client funds, the message is clear: point solutions won't cut it against adversaries running professional operations. The Fireblocks framework suggests every identified threat vector should face at least three independent protection layers.
With the total crypto market cap sitting at $2.34 trillion, the $17 billion stolen since 2020 represents a meaningful percentage of industry value. As threats continue evolving, security architecture that assumes eventual compromise—rather than hoping to prevent it entirely—may be the only realistic approach.
Image source: Shutterstock.jpg)