Even leading platforms in the industry struggle to withstand advanced persistent threats, and the surge in personal wallet thefts indicates that cryptocurrency holders face unprecedented risks.
Written by: Chainalysis
Translated by: AididiaoJP, Foresight News
Key Findings
Stolen Funds
Since 2025, cryptocurrency services have suffered over $2.17 billion in fund thefts, a figure that far exceeds the total for all of 2024. Among these, North Korea's $1.5 billion hack of ByBit (the largest single theft in cryptocurrency history) accounts for a significant portion of the losses.
As of the end of June 2025, the total amount of stolen funds is 17% higher than the worst previous year, 2022. If the current trend continues, stolen funds from service platforms could exceed $4 billion by the end of the year.
The proportion of personal wallet thefts within the overall ecosystem is gradually increasing, with attackers increasingly targeting individual users. Since 2025, such cases have accounted for 23.35% of all stolen fund activities.
"Ransom attacks" (violent or coercive actions against cryptocurrency holders) show a correlation with Bitcoin price fluctuations, indicating that attackers tend to strike during high-value periods.
Regional Trends
Since 2025, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea have become hotspots for victims.
Regionally, Eastern Europe, the Middle East and North Africa, as well as Central and South Asia, have seen the fastest growth in the number of victims from the first half of 2024 to the first half of 2025.
There are also significant differences in the types of stolen assets across different regions, which may reflect the underlying patterns of cryptocurrency adoption locally.
Money Laundering Activities
There are differences in money laundering activities between funds stolen from service platforms and those from individuals. Overall, threat actors targeting service platforms typically exhibit higher technical complexity.
Money launderers often pay excessive fees to transfer funds, with the average premium fluctuating from 2.58 times in 2021 to 14.5 times so far in 2025.
Interestingly, while the average cost in dollars to transfer stolen funds has decreased over time, the multiple of on-chain average costs has increased.
Attackers targeting personal wallets are more likely to keep large amounts of stolen funds on-chain rather than laundering them immediately.
Currently, there is still $8.5 billion in cryptocurrency tied up on-chain from thefts targeting personal wallets, while the amount stolen from service platforms is $1.28 billion.
Changes in the Environment of Illegal Activities
Despite significant changes in the cryptocurrency environment, the volume of illegal transactions in 2025 is still expected to reach or exceed last year's estimated $51 billion. The closure of the sanctioned Russian exchange Garantex, along with the potential designation of the Cambodian Chinese service provider Huione Group (which handled over $70 billion in inflows) as a special focus by the U.S. Financial Crimes Enforcement Network (FinCEN), has reshaped the flow of funds for criminals in the ecosystem.
In this changing landscape, fund theft has become the primary issue of 2025. Other forms of illegal activities have shown mixed performance year-on-year, while the surge in cryptocurrency theft poses a direct threat to ecosystem participants and presents long-term challenges for industry security infrastructure.
Stolen Funds from Service Platforms: On the Rise
The cumulative trend of funds stolen from service platforms paints a grim picture of the threat environment in 2025. The orange line representing activities from 2025 has risen at a pace far exceeding any previous year before June, surpassing the $2 billion mark in the first half of the year.
The astonishing aspect of this trend is its speed and persistence. The previous worst year, 2022, saw $2 billion stolen from service platforms over 214 days, while 2025 achieved a similar scale in just 142 days. The trend lines for 2023 and 2024 showed a more moderate accumulation pattern.
Currently, data from the end of June 2025 shows a 17.27% increase compared to the same period in 2022. If the trend continues, the total stolen funds from service platforms in 2025 could exceed $4.3 billion.
The ByBit Incident: A New Benchmark for Cybercrime
North Korea's hack of ByBit has completely altered the threat landscape in 2025. This $1.5 billion single incident is not only the largest cryptocurrency theft in history but also accounts for about 69% of the stolen funds from service platforms this year. Its technical complexity and scale highlight the escalating capabilities of state-sponsored hackers in the cryptocurrency space, marking a strong resurgence after a brief lull in the second half of 2024.
This super attack aligns with North Korea's overall cryptocurrency operations, which have become a core part of the country's strategy to evade sanctions. Known losses related to North Korea reached $1.3 billion last year (the worst year previously), and 2025 has already far exceeded this record.
The attack method is suspected to have utilized advanced social engineering techniques (such as infiltrating IT personnel related to cryptocurrency services), similar to past operations by North Korea. According to the latest UN report, Western tech companies have inadvertently employed thousands of North Korean workers, showcasing the destructive potential of such tactics.
Personal Wallets: The Underappreciated Frontier of Cryptocurrency Crime
Chainalysis has developed new methods to identify and track theft activities originating from personal wallets. This type of illegal activity has a low reporting rate, but its significance is increasingly recognized. Enhanced visualization reveals how attackers have diversified their targets and tactics over time.
As shown in the following chart, the proportion of personal wallet thefts in total losses continues to grow. This trend may reflect the following factors:
Improvements in security measures for mainstream services, forcing attackers to shift towards perceived easier personal targets
Growth in the number of individual cryptocurrency holders
Increased value of funds in personal wallets as mainstream crypto assets appreciate
Development of more sophisticated individual-targeted techniques (possibly aided by easily deployable LLM AI tools)
Breaking down the value of stolen personal wallets by asset type (see the chart below) reveals three key trends:
Bitcoin thefts account for a significant proportion
The average loss amount for personal wallets holding Bitcoin has increased over time, indicating that attackers are intentionally targeting high-value targets
The number of individual victims on non-Bitcoin and non-EVM chains (such as Solana) is on the rise
These factors suggest that while Bitcoin holders are less likely to become victims of targeted theft compared to holders of other on-chain assets, when they do fall victim, the amount lost is exceptionally large. A forward-looking inference is that if the value of native assets rises, the amount stolen from personal wallets is likely to increase in tandem.
Violent Factors: When Digital Crime Turns to Physical Harm
One disturbing example of personal wallet theft is the "ransom attack," where attackers use violence or coercion to obtain the victim's cryptocurrency. The following chart shows that the number of such physical attacks in 2025 is expected to reach twice that of the second-highest historical year. It is important to note that due to many cases going unreported, the actual number may be higher.
These violent incidents show a clear correlation with the moving average of Bitcoin prices, indicating that rising (or expected to rise) asset values may trigger physical attacks against known cryptocurrency holders. Although such violent cases are relatively rare, their potential for personal harm (including disability, kidnapping, and murder) elevates the social impact of these cases to an unconventional level. The following case will illustrate this specifically.
(Source: Jameson Lopp GitHub)
Case Study: How Blockchain Analysis Aided in Solving a High-Profile Kidnapping Case in the Philippines
Violent crimes involving money laundering through cryptocurrency present complex challenges for investigations, often requiring sophisticated analytical methods. A recent high-profile case in the Philippines demonstrates how blockchain analysis can provide crucial leads, even in the most severe criminal investigations.
In March 2024, the kidnapping and murder of Anson Que, CEO of Elison Steel, shocked the Philippine business community. On March 29, Que and his driver, Armanie Pabillo, were abducted in Bulacan province and later found dead in Rizal province, showing signs of severe abuse. Initially thought to be a 20 million peso kidnapping case, investigations revealed that the victim's family actually paid around 200 million pesos in ransom for Que's release.
The Philippine National Police (PNP) accused the casino intermediary companies 9 Dynasty Group and White Horse Club of orchestrating a complex money laundering operation: converting ransom originally paid in pesos and dollars into cryptocurrency through electronic wallets designed for casinos, shell accounts, and digital assets to obscure the flow of funds.
Using the Chainalysis Reactor tool, the global service team collaborated with PNP investigators to trace the ransom flow. Blockchain analysis revealed how the ransom was aggregated through a series of intermediary addresses and then further laundered through more intermediary addresses. With the assistance of the PNP, Chainalysis notified Tether and successfully froze part of the USDT funds.
Notably, the money laundering methods in this case were relatively crude, consistent with many criminal groups that use cryptocurrency for its speed and "anonymity" but lack technical expertise. Unlike traditional financial investigations where evidence is scattered across different institutions, blockchain provides a single, authoritative, and immutable ledger, allowing investigators to track the flow of funds in real-time, map networks, and generate cross-border leads.
The tragedy of Anson Que and Armanie Pabillo serves as a reminder of the human cost behind these crimes. However, this case also demonstrates that the immutability of blockchain technology can be a powerful tool for justice, ensuring that exploiters cannot easily hide in the shadows of the internet.
Geographic Patterns: Global Distribution of Victims
By combining Chainalysis geolocation data with reports of stolen funds, we can estimate the global distribution of personal wallet victim incidents. Note: This data only includes personal wallet theft incidents with reliable geolocation information and does not provide a complete view of global stolen fund activities in 2025.
Since 2025, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea have ranked highest in terms of per capita victim numbers; meanwhile, the total number of victims in Eastern Europe, the Middle East and North Africa, as well as Central and South Asia, has grown the fastest from the first half of 2024 to the first half of 2025.
When ranked by per capita stolen amounts (see the chart below), the United States, Japan, and Germany remain in the top ten, but the severity of victimization in the UAE, Chile, India, Lithuania, Iran, Israel, and Norway leads globally.
Regional Differences in Stolen Assets from Personal Wallets
Data from 2025 shows a regional concentration pattern in cryptocurrency theft. The following chart summarizes the total value of stolen assets by region.
North America leads in both Bitcoin and altcoin thefts, which may reflect the high cryptocurrency adoption rate in the region and the activity of specialized attackers targeting large personal assets. Europe is the global center for Ethereum and stablecoin thefts, possibly indicating a high adoption rate of these assets locally or attackers' preference for highly liquid assets.
The Asia-Pacific region ranks second in total Bitcoin thefts and third in Ethereum thefts; Central and South Asia rank second in stolen amounts of altcoins and stablecoins. Sub-Saharan Africa ranks lowest in stolen amounts (with Bitcoin thefts being the second lowest), which likely reflects lower wealth levels in the region rather than a lower victimization rate among cryptocurrency users.
Cryptocurrency Money Laundering Economics
Understanding how stolen funds flow within the cryptocurrency ecosystem is crucial for prevention and law enforcement. Analysis shows significant differences in money laundering behaviors between personal wallets and service-side attacks, reflecting different risk preferences and operational needs.
For example, from 2024 to 2025, attackers targeting service platforms frequently used cross-chain bridges for "chain hopping" money laundering, with mixers being used more often. In contrast, stolen funds from personal wallets are more likely to flow towards token smart contracts (possibly involving exchanges), sanctioned entities (especially Garantex, suggesting ties to Russian perpetrators), and centralized exchanges (CEXs), indicating relatively crude laundering techniques.
During the money laundering process, operators of stolen funds pay excessive fees, and costs fluctuate dramatically over time. Notably, although the popularity of blockchains like Solana and layer-two networks has reduced average transaction costs, the premiums paid by operators of stolen funds during the same period have increased by 108%. Additionally, attackers targeting service platforms typically pay higher premiums, possibly reflecting the urgency to quickly transfer large amounts of funds before they are frozen.
These patterns overall indicate that while the vast majority of hacking attacks are financially motivated (with some exceptions like the June 19 Nobitex attack), operators of stolen funds do not care about on-chain transaction costs but prioritize transaction speed.
Interestingly, not all stolen funds immediately enter the laundering process. More stolen funds from personal wallets tend to remain on-chain, with large balances staying in addresses controlled by attackers rather than being quickly laundered or cashed out. This behavior of criminals holding onto funds may reflect their confidence in operational security or mimic mainstream cryptocurrency investment strategies.
Prevention and Mitigation Strategies
The surge in thefts from service platforms and personal wallets requires multi-layered security mechanisms. For service providers, the lessons from significant events in 2025 reiterate the following key points:
A comprehensive security culture
Regular security audits
Employee screening processes that can identify social engineering attacks
Code auditing has become increasingly important, as vulnerabilities in smart contracts are becoming the fastest-growing attack vector. Improvements in technical wallet infrastructure (especially the implementation of multi-signature hot wallets) provide an additional layer of protection for institutional security, allowing for timely damage control even if a single key is compromised.
For individuals, the escalating threats to wallets necessitate a fundamental restructuring of security concepts. The correlation between violent attacks and Bitcoin prices indicates that protecting the privacy of holdings (such as avoiding public disclosures of positions) may be as important as technical measures (using privacy coins or cold wallets). Users in countries with high victim growth need to be particularly vigilant about their digital footprints and personal safety.
As kidnappings and violent crimes related to cryptocurrency escalate, real-world personal safety has become an urgent issue. Cases targeting wealthy families in cryptocurrency indicate that digital asset holders need to consider traditional security measures, including:
Avoiding ostentation
Not disclosing holdings or trading activities on social media
Implementing basic security protocols (such as changing daily routes and being alert to surveillance)
For large holders, professional security consulting may be necessary, as the increase in digital wealth creates new risks that traditional security systems have not fully addressed.
Outlook: A Critical Turning Point
Data from 2025 to date presents an evolutionary trajectory of cryptocurrency crime. Although the cryptocurrency ecosystem is maturing in terms of regulatory frameworks and institutional security practices, the capabilities and target ranges of threat actors are also evolving.
The ByBit incident demonstrates that even leading entities in the industry struggle to withstand advanced persistent threats; the surge in personal wallet thefts indicates that cryptocurrency holders face unprecedented risks. The geographic expansion of crime and the correlation between asset prices and violent attacks add new dimensions to an already complex security environment.
The detailed blockchain analysis supporting this report lays the groundwork for more effective countermeasures. Law enforcement equipped with comprehensive transaction analysis tools can track funds more efficiently than ever, while service providers can implement targeted defenses based on attack patterns.
The cryptocurrency industry is at a critical turning point. The same transparency that fuels crime analysis also provides more efficient prevention and law enforcement tools. The challenge lies in how quickly these capabilities can be deployed to stay ahead of continuously evolving threats.
As we enter the second half of 2025, the amount of stolen cryptocurrency is at an unprecedented high. If stolen funds indeed surpass the predicted $4 billion, the industry's response in the coming months may determine whether crime trends continue to worsen or stabilize as defense systems mature.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
