Even the leading platforms in the industry struggle to withstand advanced persistent threats, and the surge in stolen personal wallets indicates that cryptocurrency holders face unprecedented risks.
Written by: Chainalysis
Compiled by: AididiaoJP, Foresight News
Core findings
Stolen funds
From 2025 to date, cryptocurrency services have suffered over 2.17 billion USD in fund theft, a figure that far exceeds the total for all of 2024. Among these, North Korea's 1.5 billion USD hack of ByBit (the largest single theft in cryptocurrency history) accounts for the majority of the losses.
As of the end of June 2025, the total amount of stolen funds exceeded 17% compared to the same period in the previous worst year, 2022. If the current trend continues, stolen funds from service platforms could exceed 4 billion USD by year-end.
The proportion of stolen personal wallets in overall ecosystem theft is gradually increasing, with attackers increasingly targeting individual users. From 2025 to date, such cases account for 23.35% of all stolen funds activities.
The 'wrench attack' (violent or coercive actions against cryptocurrency holders) correlates with Bitcoin price fluctuations, indicating that attackers tend to strike during high-value periods.
Regional trends
From 2025 to date, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea have become concentrated sites for victims.
Regionally, Eastern Europe, the Middle East and North Africa, as well as Central Asia and South Asia, have seen the fastest growth in victim numbers from the first half of 2024 to the first half of 2025.
There are also significant differences in the types of stolen assets across different regions, which may reflect the underlying patterns of cryptocurrency adoption locally.
Money laundering behavior
There are differences in money laundering behaviors between stealing funds from service platforms and personal endpoints. Overall, threat actors targeting service platforms typically exhibit higher technical complexity.
Money launderers often pay excessive fees to transfer funds, with the average premium fluctuating from 2.58 times in 2021 to 14.5 times from 2025 to date.
Interestingly, although the average cost of transferring stolen funds in USD has decreased over time, the multiple of on-chain average costs has increased.
Attackers targeting personal wallets tend to keep large amounts of stolen funds on-chain rather than laundering them immediately.
Currently, 8.5 billion USD in cryptocurrency remains trapped on-chain in theft cases against personal wallets, while stolen funds from servers amount to 1.28 billion USD.
Changes in the illegal activity environment
Despite significant changes in the cryptocurrency environment, the volume of illicit transactions from 2025 to date is still expected to reach or exceed last year's estimated 51 billion USD. The closure of the sanctioned exchange Garantex and the potential designation of Cambodia's Chinese service provider Huione Group (handling over 70 billion USD in inflows) as a special focus by the U.S. Financial Crimes Enforcement Network (FinCEN) are reshaping how criminals move funds within the ecosystem.
In this changing situation, fund theft has become the primary issue of 2025. Other forms of illegal activity show mixed performance year-on-year, while the surge in cryptocurrency theft poses a direct threat to ecosystem participants and presents long-term challenges to industry security infrastructure.
Stolen funds from service platforms: experiencing a surge
The cumulative trend of funds stolen from service platforms paints a grim picture of the threat landscape in 2025. The orange line representing activities from 2025 to date has risen faster before June than in any previous year, surpassing the 2 billion USD mark in the first half of the year.
The astonishing aspect of this trend is its speed and persistence. The previous worst case of 2 billion USD stolen from service platforms in 2022 took 214 days, whereas 2025 achieved a similar scale in only 142 days. The trend lines for 2023 and 2024 show a more moderate cumulative pattern.
Currently, data from the end of June 2025 shows a 17.27% increase compared to the same period in 2022. If the trend continues, stolen funds from service platforms alone could exceed 4.3 billion USD for the entire year of 2025.
ByBit Incident: A New Benchmark in Cybercrime
North Korea's hacking attack on ByBit has completely reshaped the threat landscape of 2025. This single 1.5 billion USD incident is not only the largest cryptocurrency theft in history but also accounts for about 69% of the stolen funds from service platforms this year. Its technical complexity and scale highlight the escalating capabilities of state-sponsored hackers in the cryptocurrency space, marking a strong return after a brief lull in the second half of 2024.
This super attack aligns with North Korea's overall pattern of cryptocurrency operations, which have become a core part of the country's sanctions evasion strategy. Known losses related to North Korea reached 1.3 billion USD last year (the worst year previously), while 2025 has already exceeded this record.
The attack methods appear to have utilized advanced social engineering techniques (such as infiltrating IT personnel related to cryptocurrency services), similar to past operations by North Korea. According to the latest United Nations report, Western tech companies have inadvertently employed thousands of North Korean workers, showcasing the destructive potential of such tactics.
Personal wallets: the frontline of cryptocurrency crime that has not been adequately addressed
Chainalysis has developed new methods for identifying and tracking theft activities originating from personal wallets. This type of illegal activity has a low reporting rate, but its importance is increasingly prominent. Enhanced visualization reveals how attackers diversify their targets and tactics over time.
As shown in the chart below, the proportion of stolen personal wallets in total losses continues to grow. This trend may reflect the following factors:
Mainstream service security measures improvement forces attackers to turn to personal targets perceived as easier to exploit
Growth in the number of individual cryptocurrency holders
As mainstream crypto assets appreciate, the value of funds in personal wallets increases
Development of more complex individual-targeted techniques (possibly benefiting from easily deployable LLM AI tools)
Breaking down the value of stolen personal wallets by asset type (see chart below) reveals three key trends:
Bitcoin theft constitutes a significant proportion
The average loss amount for personal wallets storing Bitcoin has increased over time, indicating that attackers are intentionally targeting high-value targets.
The number of individual victims on non-Bitcoin and non-EVM chains (such as Solana) is on the rise.
These factors indicate that while Bitcoin holders are less likely to become victims of targeted theft compared to holders of other on-chain assets, once victimized, their losses can be extraordinarily large. A forward-looking inference is that as the value of native assets increases, the amount stolen from personal wallets is likely to grow in tandem.
Violent factors: when digital crime turns into physical harm
One disturbing example in personal wallet thefts is the 'wrench attack', where attackers use violence or coercion to obtain victims' cryptocurrency. The chart below shows that the number of such physical attacks in 2025 is expected to reach twice that of the second highest historical year. It is important to note that many cases go unreported, so the actual numbers may be higher.
These violent incidents show a clear correlation with the moving average of Bitcoin prices, suggesting that rising asset values (or anticipated rises) may trigger physical attacks against known cryptocurrency holders. While such violent cases are relatively rare, their personal injury aspects (including maiming, kidnapping, and murder) elevate the social impact of the cases to an unconventional level. The following case will illustrate this specifically.
(Source: Jameson Lopp GitHub)
Case study: How blockchain analysis assisted in solving a high-profile kidnapping case in the Philippines
Violent crimes through cryptocurrency money laundering present complex challenges for investigations, often requiring sophisticated analytical methods. A recent high-profile case in the Philippines showcased how blockchain analysis can provide crucial leads, even in the most severe criminal investigations.
In March 2024, the kidnapping and murder of Elison Steel's CEO Anson Que shocked the business community in the Philippines. On March 29, Que and driver Armanie Pabillo were abducted in Bulacan, later found dead in Rizal Province, showing signs of severe abuse. Initially thought to be a 20 million peso kidnapping case, investigations revealed the victim's family actually paid around 200 million pesos for Que's release.
The Philippine National Police (PNP) accused casino intermediaries 9 Dynasty Group and White Horse Club of orchestrating a complex money laundering operation: converting ransom originally paid in pesos and dollars into cryptocurrency using e-wallets designed specifically for casinos, shell accounts, and digital assets to obscure the flow of funds.
Through the Chainalysis Reactor tool, global service teams collaborated with PNP investigators to trace the ransom flow. Blockchain analysis revealed how the ransom was collected through a series of intermediary addresses before being further laundered through more intermediary addresses. With the PNP's assistance, Chainalysis notified Tether and successfully froze some USDT funds.
It is noteworthy that the money laundering techniques used in this case are relatively crude, consistent with many criminal groups that adopt cryptocurrency for its speed and 'anonymity' but lack professional skills. Unlike in traditional financial investigations where evidence is scattered across different institutions, blockchain provides a single, authoritative, and immutable ledger, enabling investigators to track fund flows in real-time, map networks, and generate cross-border leads.
The tragedy of Anson Que and Armanie Pabillo serves as a reminder of the real human cost behind these crimes. However, this case also proves that the immutability of blockchain technology can serve as a powerful tool for justice, ensuring that exploiters cannot easily hide in the shadows of the web.
Geographic patterns: Global victim distribution
By combining Chainalysis geolocation data with reports of stolen funds, the global distribution of personal wallet victim events can be estimated. Note: This data only includes personal wallet theft events with reliable geolocation information, not a complete view of global stolen funds activity in 2025.
From 2025 to date, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea rank highest in per capita victim numbers; while Eastern Europe, the Middle East and North Africa, as well as Central Asia and South Asia, have seen the fastest growth in total victims between the first half of 2024 and the first half of 2025.
If ranked by per capita stolen amounts (see chart below), the United States, Japan, and Germany remain in the top ten, but the severity of victimization in the UAE, Chile, India, Lithuania, Iran, Israel, and Norway leads the world.
Regional differences in stolen assets from personal wallets
Data from 2025 indicates a regional concentration pattern in cryptocurrency theft. The chart below summarizes the total value of stolen assets by region.
North America ranks first in both Bitcoin and altcoin thefts, likely reflecting the region's high cryptocurrency adoption rate and the activity of professional attackers targeting large personal assets. Europe serves as the global center for Ethereum and stablecoin thefts, possibly indicating high local adoption of these assets or attackers' preference for high-liquidity assets.
The Asia-Pacific region ranks second in total Bitcoin theft, with Ethereum in third; Central Asia and South Asia rank second in stolen amounts of altcoins and stablecoins. Sub-Saharan Africa ranks lowest in stolen amounts (with Bitcoin theft second to last), likely reflecting lower wealth levels in the region rather than a lower victimization rate among cryptocurrency users.
The economics of cryptocurrency money laundering
Understanding how stolen funds flow within the crypto ecosystem is crucial for prevention and law enforcement. Analysis shows significant differences in money laundering activities between personal wallets and server attacks, reflecting different risk preferences and operational needs.
For example, in 2024-2025, attackers targeting servers extensively used cross-chain bridges for 'chain hopping' money laundering, and the use of mixers became more frequent. In contrast, stolen funds from personal wallets were more directed towards token smart contracts (possibly involving exchanges), sanctioned entities (especially Garantex, or suggesting Russian perpetrators), and centralized exchanges (CEXs), indicating relatively crude money laundering techniques.
In the money laundering process, operators of stolen funds pay excessive fees, and costs fluctuate dramatically over time. Notably, while the popularity of blockchains like Solana and layer two networks has reduced average transaction costs, the premium paid by operators of stolen funds has increased by 108%. Additionally, attackers targeting service platforms typically pay higher premiums, possibly reflecting their urgency to quickly transfer large amounts of money before funds are frozen.
These patterns overall indicate that while the vast majority of hacking attacks are financially motivated (except for isolated incidents such as the June 19 Nobitex attack), operators of stolen funds do not care about on-chain transaction costs, but prioritize transaction speed.
Interestingly, not all stolen funds immediately enter the money laundering process. Stolen funds from personal wallets tend to remain on-chain, with substantial balances held at attacker-controlled addresses rather than being quickly laundered or cashed out. This behavior may reflect the criminals' confidence in operational security or mimic mainstream cryptocurrency investment strategies.
Prevention and mitigation strategies
The surge in thefts of service platforms and personal wallets necessitates multi-layered security mechanisms. For service providers, the lessons from significant events in 2025 reiterate the following key points:
A comprehensive security culture
Regular security audits
Employee screening processes capable of identifying social engineering attacks
Code auditing is becoming increasingly important, as vulnerabilities in smart contracts are becoming the fastest-growing attack vector. Improvements in technical wallet infrastructure (especially the implementation of multi-signature hot wallets) provide an additional layer of protection for institutional security, allowing for timely loss prevention even if a single key is compromised.
For individuals, the escalation of threats against wallets requires a fundamental restructuring of security concepts. The correlation between violent attacks and Bitcoin prices suggests that protecting holding privacy (such as avoiding public holdings) may be as important as technical measures (using privacy coins or cold wallets). Users in countries with high victim growth need to be particularly vigilant about their digital footprints and personal safety.
As cryptocurrency-related kidnappings and violent crimes escalate, personal safety in the real world becomes an urgent issue. Cases targeting wealthy families in the cryptocurrency space indicate that digital asset holders need to consider traditional security measures, including:
Avoid flaunting wealth
Do not disclose holdings or trading activities on social media
Implement basic security protocols (such as changing daily routes, being vigilant about surveillance)
For large holders, professional security consulting may be necessary, as the increase in digital wealth coupled with personal vulnerability creates new risks that traditional security systems have yet to fully address.
Outlook: critical turning point
Data from 2025 to date presents an evolutionary trajectory of cryptocurrency crime. Despite the maturation of the crypto ecosystem in regulatory frameworks and institutional security practices, the capabilities and target ranges of threat actors have also upgraded simultaneously.
The ByBit incident demonstrates that even leading entities in the industry struggle to withstand advanced persistent threats; the surge in stolen personal wallets indicates that cryptocurrency holders face unprecedented risks. The geographical expansion of crime and the correlation between asset prices and violent attacks add new dimensions to an already complex security environment.
The detailed blockchain analysis supporting this report lays the foundation for more effective countermeasures. Law enforcement equipped with comprehensive transaction analysis tools can track funds more efficiently than ever, while service providers can implement targeted defenses based on attack patterns.
The cryptocurrency industry is at a critical turning point. The same transparency that fosters criminal analysis also provides more efficient prevention and law enforcement tools. The challenge lies in how to rapidly deploy these capabilities to stay ahead of continuously evolving threats.
As we enter the second half of 2025, the amount of stolen cryptocurrency is unprecedentedly high. If the stolen funds truly exceed 4 billion USD as predicted, the industry's response in the coming months may determine whether crime trends continue to worsen or stabilize as defense systems mature.
