Written by: Chainalysis
Compiled by: AididiaoJP, Foresight News
Core Findings
Stolen funds
Since 2025, cryptocurrency services have suffered over $2.17 billion in fund theft, a figure that far exceeds the total for the entire year of 2024. Among these, North Korea's $1.5 billion hack of ByBit (the largest single theft in cryptocurrency history) accounts for the majority of the losses.
As of the end of June 2025, the total amount of stolen funds is 17% higher than the previous worst year of 2022 for the same period. If the current trend continues, the stolen funds from service platforms could exceed $4 billion by the end of the year.
The proportion of stolen personal wallets in overall ecosystem thefts is gradually increasing, with attackers increasingly targeting individual users. Since 2025, such cases account for 23.35% of all stolen funds activities.
'Wrench attacks' (violent or coercive acts against cryptocurrency holders) correlate with Bitcoin price fluctuations, indicating that attackers tend to wait for high-value periods to strike.
Regional Trends
Since 2025, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea have become concentration points for victims.
Regionally, Eastern Europe, the Middle East and North Africa, as well as Central Asia and South Asia, have seen the fastest growth in the number of victims from the first half of 2024 to the first half of 2025.
There are also significant differences in the types of stolen assets across different regions, which may reflect the underlying patterns of cryptocurrency adoption locally.
Money laundering behavior
There are differences in laundering behaviors between funds stolen from service platforms and personal endpoints. Overall, threat actors targeting service platforms typically exhibit higher technical complexity.
Money launderers often pay excess fees to transfer funds, with the average premium fluctuating from 2.58 times in 2021 to 14.5 times in 2025 to date.
Interestingly, while the average cost in dollars to transfer stolen funds has decreased over time, the multiple of on-chain average costs has increased.
Attackers targeting personal wallets are more likely to keep large amounts of stolen funds on-chain rather than laundering them immediately.
Currently, $8.5 billion in cryptocurrency remains on-chain from thefts targeting personal wallets, while server-side stolen funds amount to $1.28 billion.
Changes in the environment of illegal activities
Despite significant changes in the cryptocurrency environment, the volume of illegal transactions in 2025 is still expected to reach or exceed last year's estimate of $51 billion. The closure of the sanctioned exchange Garantex and the potential designation of the Cambodian Chinese service provider Huione Group (which processed over $70 billion in inflows) as a particularly vulnerable entity by the U.S. Financial Crimes Enforcement Network (FinCEN) are reshaping how criminals move funds within the ecosystem.
In this changing landscape, fund theft has become the primary issue for 2025. Other forms of illegal activities have shown mixed performance, and the surge in cryptocurrency theft poses not only a direct threat to ecosystem participants but also long-term challenges to industry security infrastructure.
Stolen funds from service platforms: on the rise
The cumulative trend of funds stolen from service platforms paints a grim picture of the threat environment in 2025. The orange line representing activity from 2025 to date rose far faster than any previous year before June, surpassing $2 billion in the first half of the year.
The astonishing aspect of this trend is its speed and persistence. The most severe previous case, a $2 billion theft from a service platform in 2022, took 214 days, whereas it only took 142 days to achieve a similar scale in 2025. The trend lines for 2023 and 2024 exhibited a more moderate accumulation pattern.
Currently, data as of the end of June 2025 shows a 17.27% increase compared to the same period in 2022. If trends continue, stolen funds from service platforms alone could exceed $4.3 billion for the entirety of 2025.
ByBit Incident: A New Benchmark for Cybercrime
North Korea's hack of ByBit has completely changed the threat landscape for 2025. This $1.5 billion single incident is not only the largest cryptocurrency theft in history but also accounts for about 69% of the total funds stolen from service platforms this year. Its technical complexity and scale highlight the escalating capabilities of state-sponsored hackers in the cryptocurrency field and mark a strong return after a brief lull in the second half of 2024.
This super attack aligns with North Korea's overall cryptocurrency operations, which have become a core part of the country's strategy to evade sanctions. Known losses related to North Korea reached $1.3 billion last year (the previously worst year), while 2025 has far exceeded this record.
The attack methods reportedly utilized advanced social engineering techniques (such as infiltrating IT personnel related to cryptocurrency services), similar to past operations by North Korea. According to the latest report from the United Nations, Western tech companies have inadvertently hired thousands of North Korean employees, highlighting the destructive potential of such tactics.
Personal wallets: The frontier of cryptocurrency crime that has not been adequately addressed
Chainalysis has developed new methods to identify and track theft activities originating from personal wallets. Such illegal activities have low reporting rates, but their significance is increasingly highlighted. Enhanced visualization reveals how attackers have diversified their targets and tactics over time.
As shown in the following chart, the proportion of losses from stolen personal wallets has been steadily increasing. This trend may reflect the following factors:
Improvements in mainstream service security measures have forced attackers to shift towards personal targets perceived as easier to exploit
Growth in the number of individual cryptocurrency holders
As mainstream crypto assets appreciate, the value of funds in personal wallets increases
More complex individual targeting techniques are developing (possibly aided by easily deployable LLM AI tools)
Segmenting the value of stolen personal wallets by asset type (see chart below) reveals three key trends:
Bitcoin theft constitutes a significant proportion
The average loss amount from personal wallets storing Bitcoin has increased over time, indicating that attackers intentionally target high-value objectives.
The number of individual victims on non-Bitcoin and non-EVM chains (such as Solana) is on the rise.
These factors suggest that while Bitcoin holders have a lower probability of becoming targets of directed theft than other on-chain asset holders, once victimized, their loss amounts are exceptionally large. A forward-looking inference is that if the value of native assets rises, the amount stolen from personal wallets is likely to increase in tandem.
Violent factors: When digital crime turns into physical harm
A disturbing example of personal wallet theft is the 'wrench attack,' where attackers use violence or coercion to obtain victims' cryptocurrencies. The chart below shows that the number of such physical attacks in 2025 is expected to reach twice that of the second-highest year in history. It should be noted that the actual numbers may be higher due to many cases going unreported.
These violent incidents show a clear correlation with the moving average of Bitcoin prices, indicating that increases (or expected increases) in asset value may trigger physical attacks against known cryptocurrency holders. Although such violent cases are relatively rare, their personal injury attributes (including disability, kidnapping, and murder) elevate the social impact of the cases to an unconventional level. The following case will illustrate this in detail.
(Source: Jameson Lopp GitHub)
Case Study: How Blockchain Analysis Aided in Solving a High-Profile Kidnapping Case in the Philippines
Violent crime involving cryptocurrency laundering presents complex challenges for investigations, often requiring sophisticated analytical methods. A recent high-profile case in the Philippines demonstrated how blockchain analysis can provide critical clues, even in the most severe criminal investigations.
In March 2024, the kidnapping and murder of Elison Steel CEO Anson Que shocked the Philippine business community. On March 29, Que and driver Armanie Pabillo were kidnapped in Bulacan province and later found dead in Rizal province, showing obvious signs of abuse. Initially thought to be a 20 million peso kidnapping case, investigations revealed that the victim's family actually paid about 200 million pesos in ransom for Que's release.
The Philippine National Police (PNP) accused casino intermediary companies 9 Dynasty Group and White Horse Club of orchestrating a complex money laundering operation: converting ransom originally paid in pesos and dollars into cryptocurrency through e-wallets designed for casinos, shell accounts, and digital assets to obscure the flow of funds.
Using the Chainalysis Reactor tool, global service teams collaborated with PNP investigators to trace the flow of ransom. Blockchain analysis revealed how ransom payments were aggregated through a series of intermediary addresses and then laundered further through more intermediary addresses. With the assistance of PNP, Chainalysis notified Tether and successfully froze a portion of the USDT funds.
It is noteworthy that the money laundering techniques used in this case are relatively crude, consistent with many criminal groups that favor cryptocurrencies for their speed and 'anonymity' but lack technical expertise. Unlike traditional financial investigations where evidence is dispersed across different institutions, blockchain provides a single, authoritative, and immutable ledger, allowing investigators to track fund flows in real-time, map networks, and generate cross-border leads.
The tragedy of Anson Que and Armanie Pabillo reminds us of the real human cost behind these crimes. However, this case also proves that the immutability of blockchain technology can be a powerful tool for justice, ensuring that exploiters cannot easily hide in the shadows of the internet.
Regional Patterns: Global Distribution of Victims
By combining Chainalysis geolocation data with reports of stolen funds, we can estimate the global distribution of personal wallet victim events. Note: This data only includes personal wallet theft events with reliable geolocation information and does not provide a complete view of global stolen funds activities in 2025.
Since 2025, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea rank highest in per capita victim counts; while Eastern Europe, the Middle East and North Africa, and Central Asia and South Asia have seen the fastest growth in total victims between the first half of 2024 and the first half of 2025.
If ranked by per capita stolen amounts (see chart below), the United States, Japan, and Germany remain in the top ten, but the severity of victimization in the UAE, Chile, India, Lithuania, Iran, Israel, and Norway leads globally.
Regional disparities in stolen assets from personal wallets
Data from 2025 indicates a geographical concentration pattern in cryptocurrency theft. The chart below summarizes the total value stolen by asset type across various regions.
North America ranks first in both Bitcoin and altcoin thefts, which may reflect the region's high cryptocurrency adoption rate and the activity of professional attackers targeting large personal assets. Europe is the global center for Ethereum and stablecoin thefts, possibly indicating a high adoption rate of these assets locally or a preference among attackers for highly liquid assets.
The Asia-Pacific region ranks second in total Bitcoin theft, with Ethereum in third place; Central Asia and South Asia rank second in stolen amounts of altcoins and stablecoins. Sub-Saharan Africa is at the bottom in terms of stolen amounts (second to last in Bitcoin theft) which is more likely to reflect lower wealth levels in the region rather than a lower victimization rate among cryptocurrency users.
Cryptocurrency money laundering economics
Understanding how stolen funds flow within the cryptocurrency ecosystem is crucial for prevention and enforcement. Analysis shows significant differences in laundering behaviors between personal wallets and server-side attacks, reflecting different risk preferences and operational demands.
For instance, from 2024 to 2025, attackers targeting servers heavily utilized cross-chain bridges for 'chain hopping' money laundering, with the use of mixers also becoming more frequent. In contrast, stolen funds from personal wallets have flowed more towards token smart contracts (possibly involving exchanges), sanctioned entities (particularly Garantex, suggesting a connection to Russian perpetrators), and centralized exchanges (CEXs), indicating that laundering techniques are relatively crude.
In the money laundering process, operators of stolen funds pay excess fees, and costs fluctuate dramatically over time. It is noteworthy that while the popularity of blockchains like Solana and layer-2 networks has lowered average transaction costs, the premiums paid by operators of stolen funds have increased by 108% during the same period. Additionally, attackers targeting service platforms typically pay higher premiums, possibly reflecting their urgency to quickly transfer large amounts of funds before freezing occurs.
These patterns generally indicate that although the vast majority of hacking attacks are financially motivated (with exceptions for specific incidents like the Nobitex attack on June 19), operators of stolen funds are not concerned about on-chain transaction costs but prioritize transaction speed.
Interestingly, not all stolen funds immediately enter the laundering process. Stolen funds from personal wallets tend to remain on-chain, with a large amount of balance staying in addresses controlled by attackers rather than being quickly laundered or cashed out. This behavior of criminals may reflect their confidence in operational security or mimic mainstream cryptocurrency investment strategies.
Prevention and Mitigation Strategies
The surge in thefts from service platforms and personal wallets requires multi-layered security mechanisms to respond. For service providers, the lessons learned from major events in 2025 underscore the following key points:
Comprehensive security culture
Regular security audits
Employee screening process that can recognize social engineering attacks
Code auditing is becoming increasingly important, as vulnerabilities in smart contracts are becoming the fastest-growing attack vector. Improvements in technical wallet infrastructure (especially the implementation of multi-signature hot wallets) provide an additional layer of protection for institutional security, allowing timely damage control even if a single key is compromised.
For individuals, the escalating threats against wallets require a fundamental restructuring of security concepts. The correlation between violent attacks and Bitcoin prices indicates that protecting holding privacy (such as avoiding public exposure of holdings) may be as important as technical measures (using privacy coins or cold wallets). Users in countries with high victim growth should be particularly vigilant about their digital footprints and personal safety.
As cryptocurrency-related kidnappings and violent crimes escalate, real-world personal safety has become an urgent issue. Cases targeting wealthy families in cryptocurrency indicate that digital asset holders need to consider traditional security measures, including:
Avoid flaunting wealth
Do not disclose holdings or trading activities on social media
Implement basic security protocols (such as changing daily routes and being vigilant for surveillance)
For large holders, professional security consulting may be necessary; the increase in digital wealth creates new risks that traditional security systems have not fully addressed.
Outlook: A Critical Turning Point
Data from 2025 to date presents the evolutionary trajectory of cryptocurrency crime. Although the crypto ecosystem is maturing in terms of regulatory frameworks and institutional security practices, the capabilities and target ranges of threat actors are also escalating.
The ByBit incident demonstrates that even leading entities in the industry still struggle to withstand advanced persistent threats; the surge in personal wallet thefts indicates that cryptocurrency holders face unprecedented risks. The geographic expansion of crime and the correlation between asset prices and violent attacks add a new dimension to an already complex security environment.
The detailed blockchain analysis that supports this report lays the foundation for more effective countermeasures. Law enforcement equipped with comprehensive transaction analysis tools can track funds more efficiently than ever, while service providers can implement targeted defenses based on attack patterns.
The cryptocurrency industry is at a critical turning point. The same transparency that fosters criminal analysis also provides more efficient prevention and enforcement tools. The challenge lies in how to rapidly deploy these capabilities to stay ahead of evolving threats.
As we enter the second half of 2025, stolen cryptocurrency funds are at an unprecedented high. If stolen funds truly exceed $4 billion as predicted, the industry's response over the coming months may determine whether the trend of crime continues to worsen or stabilizes as defense systems mature.