2025 Crypto Crime Mid-Year Report: Stolen Funds Surge, Personal Wallet Thefts Rise

Even though the industry's leading platforms are still struggling to defend against advanced persistent threats, the surge in personal wallet thefts shows that cryptocurrency holders face unprecedented risks.

Original article: 2025 Crypto Crime Mid-year Update: Stolen Funds Surge as DPRK Sets New Records

By Chainalysis

Compiled by: AididiaoJP, Foresight News

Cover: Photo by Christoph Keil on Unsplash

Key findings

Stolen funds

Cryptocurrency services have suffered more than $2.17 billion in thefts so far in 2025, far more than in all of 2024. North Korea’s $1.5 billion hack of ByBit (the largest single theft in cryptocurrency history) accounted for the majority of the losses.

As of the end of June 2025, the total amount of stolen funds is 17% higher than the previous worst period in 2022. If the current trend continues, the amount of stolen funds on service platforms may exceed US$4 billion by the end of the year.

The proportion of personal wallet thefts in the overall ecological theft is gradually increasing, and attackers are increasingly targeting individual users. From 2025 to date, such cases account for 23.35% of all stolen funds.

“Wrench attacks” — acts of violence or coercion against cryptocurrency holders — are correlated with bitcoin price volatility, suggesting attackers tend to strike during high-value periods.

Regional Trends

Since 2025, the United States, Germany, Russia, Canada, Japan, Indonesia and South Korea have become the main victims.

Regionally, Eastern Europe, the Middle East and North Africa, and Central and South Asia saw the fastest growth in the number of victims between the first half of 2024 and the first half of 2025.

There are also significant differences in the types of assets stolen across regions, which may reflect underlying patterns of local cryptocurrency adoption.

Money laundering

There are differences in money laundering activities that steal funds from service platforms and individuals. In general, threat actors targeting service platforms generally show higher technical sophistication.

Money launderers often pay excessive fees to transfer funds, with the average premium fluctuating from 2.58 times in 2021 to 14.5 times from 2025 to date.

Interestingly, while the average USD cost to transfer stolen funds has decreased over time, the multiple of the average on-chain cost has increased.

Attackers targeting individual wallets are more likely to keep large amounts of stolen funds on-chain rather than launder them immediately.

Currently, $8.5 billion in cryptocurrencies remain on-chain in thefts from personal wallets, while $1.28 billion has been stolen from the server.

Changing landscape of illegal activities

Despite significant changes in the crypto landscape, illicit trading volumes so far in 2025 are expected to reach or exceed last year’s estimated $51 billion. The closure of sanctioned Russian exchange Garantex and the potential designation of Cambodian Chinese service Huione Group (which processed more than $70 billion in inflows) as a subject of special interest by the U.S. Financial Crimes Enforcement Network (FinCEN) have reshaped how criminals move money through the ecosystem.

In this changing landscape, fund theft has become the top issue in 2025. Other forms of illegal activity have performed unevenly year-on-year, and the surge in cryptocurrency theft not only poses a direct threat to ecosystem participants, but also poses long-term challenges to the industry's security infrastructure.

Funds stolen from service platforms: Surge

Cumulative trends in funds stolen from services paint a grim picture of the threat landscape in 2025. The orange line, representing activity so far in 2025, rose faster than in any previous year until June, surpassing the $2 billion mark in the first half of the year.

What is striking about this trend is its speed and persistence. The previous worst theft of $2 billion from a service platform took 214 days in 2022, while a similar scale was achieved in just 142 days in 2025. The trend lines for 2023 and 2024 show a more moderate accumulation pattern.

Currently, the data at the end of June 2025 is 17.27% higher than the same period in 2022. If the trend continues, the amount of funds stolen from service platforms alone in 2025 may exceed US$4.3 billion.

ByBit incident: a new benchmark for cybercrime

North Korea’s hack of ByBit completely changed the threat landscape for 2025. This single $1.5 billion incident was not only the largest cryptocurrency theft in history, but also accounted for approximately 69% of the funds stolen from service platforms this year. Its technical complexity and scale highlight the escalation of state-sponsored hacking in the cryptocurrency space, and also marks a strong return after a brief lull in the second half of 2024.

The megaattack fits into a general pattern of North Korean cryptocurrency operations, which have become a core part of the country’s sanctions circumvention strategy. Last year’s known North Korean-related losses reached $1.3 billion (the previous worst year), and 2025 has already far surpassed that record.

The attack method appears to have used advanced social engineering tactics (such as infiltrating IT staff at cryptocurrency-related services), similar to past North Korean operations. According to a new United Nations report, Western technology companies have unwittingly hired thousands of North Korean employees, which shows the destructive power of such tactics.

Personal wallets: an underappreciated frontier for cryptocurrency crime

Chainalysis has developed new methods to identify and track thefts originating from individual wallets, an underreported but increasingly important form of illicit activity. Enhanced visualization reveals how attackers are diversifying their targets and tactics over time.

As shown in the figure below, the proportion of personal wallet thefts in total losses continues to grow. This trend may reflect the following factors:

• Improved security measures on major services are forcing attackers to turn to individuals who are seen as easier targets
• Growth in the number of individual cryptocurrency holders
• As mainstream crypto assets appreciate, the value of funds in personal wallets increases
• Development of more sophisticated individual targeting techniques (possibly aided by easily deployable LLM AI tools)

Breaking down the value of stolen wallets by asset type (see chart below) reveals three key trends:

1. Bitcoin theft accounts for a significant proportion
2. The average amount lost to personal wallets storing Bitcoin has increased over time, indicating that attackers are interested in targeting high-value targets
3. The number of individual victims on non-Bitcoin and non-EVM chains (such as Solana) is increasing

These factors indicate that while Bitcoin holders are less likely to become victims of targeted theft than other on-chain asset holders, once they are victimized, the amount of money they lose is extremely large. A forward-looking inference is that if the value of the native asset rises, the amount of money stolen from personal wallets is likely to increase simultaneously.

Violence Factor: When Digital Crime Turns into Physical Harm

One disturbing example of personal wallet theft is the “wrench attack,” where an attacker uses brute force or coercion to obtain a victim’s cryptocurrency. The chart below shows that 2025 is expected to see twice as many such physical attacks as the next highest year on record. Note that the actual number is likely higher, as many cases go unreported.

These violent incidents have a clear correlation with the moving average of Bitcoin prices, indicating that rising asset values (or expected increases) may trigger physical attacks against known cryptocurrency holders. Although such violent cases are relatively rare, their personal injury attributes (including maiming, kidnapping, and murder) raise the social impact of the cases to an unconventional level. The following cases will explain this in detail.

Case Study: How Blockchain Analysis Helped Solve a High-Profile Kidnapping Case in the Philippines

Violent crimes laundered through cryptocurrency present complex investigation challenges that often require sophisticated analytical methods. A recent high-profile case in the Philippines illustrates how blockchain analysis can provide critical clues in even the most serious criminal investigations.

In March 2024, the kidnapping and murder of Elison Steel CEO Anson Que shocked the Philippine business community. On March 29, Que and his driver, Armanie Pabillo, were kidnapped in Bulacan and later found dead in Rizal with obvious signs of abuse. Initially believed to be a 20 million pesos kidnapping case, investigations revealed that the victim's family actually paid a ransom of about 200 million pesos for Que's release.

The Philippine National Police (PNP) accused casino junket companies 9 Dynasty Group and White Horse Club of orchestrating a sophisticated money laundering operation: ransom payments originally paid in pesos and dollars were converted into cryptocurrencies through electronic wallets designed specifically for casinos, shell accounts and digital assets to conceal the flow of funds.

Using the Chainalysis Reactor tool, the Global Services team worked with PNP investigators to track the ransom payments. Blockchain analysis revealed how the ransom payments were aggregated through a series of intermediary addresses and then further laundered through more intermediary addresses. With the assistance of PNP, Chainalysis notified Tether and successfully froze some of the USDT funds.

It is worth noting that the money laundering method in this case is relatively crude, which is consistent with the pattern of many criminal groups that use cryptocurrencies for their speed and "anonymity" but lack professional technology. Unlike traditional financial investigations where evidence is scattered among different institutions, blockchain provides a single, authoritative and tamper-proof ledger, allowing investigators to track the flow of funds in real time, draw network maps and generate cross-border clues.

The tragedy of Anson Que and Armanie Pabillo reminds us of the true human cost of these crimes. But it also demonstrates that the immutable nature of blockchain technology can be a powerful tool for justice, ensuring that exploiters cannot easily hide in the shadows of the internet.

Geographical patterns: Distribution of victims around the world

Combining Chainalysis geolocation data with stolen funds reporting records, the global distribution of personal wallet compromise incidents can be estimated. Note: This data only includes personal wallet theft incidents with reliable geolocation information, and is not a complete view of global stolen funds activity in 2025.

Since 2025, the United States, Germany, Russia, Canada, Japan, Indonesia and South Korea have ranked among the countries with the highest number of victims per capita; while the total number of victims in Eastern Europe, the Middle East and North Africa, and Central and South Asia has increased fastest between the first half of 2024 and the first half of 2025.

If ranked by per capita stolen money (see figure below), the United States, Japan and Germany are still in the top ten, but the United Arab Emirates, Chile, India, Lithuania, Iran, Israel and Norway are the most severely affected countries in the world.

Regional differences in stolen assets from personal wallets

Data from 2025 shows a pattern of geographic concentration in cryptocurrency theft. The chart below shows the total value of theft by asset type in each region.

North America leads in both Bitcoin and Altcoin thefts, which may reflect the region’s high cryptocurrency adoption and the activity of professional attackers targeting large personal assets. Europe is the global epicenter for Ethereum and stablecoin thefts, which may indicate high local adoption of these assets or attackers’ preference for highly liquid assets.

Asia Pacific ranks second in total Bitcoin thefts and third in Ethereum thefts, while Central and South Asia rank second in Altcoin and stablecoin thefts. Sub-Saharan Africa ranks last in thefts (second-to-last in Bitcoin thefts), which is more likely to reflect lower wealth levels in the region, rather than lower victimization rates among non-cryptocurrency users.

The Economics of Money Laundering with Cryptocurrencies

Understanding how stolen funds flow in the crypto ecosystem is critical to prevention and law enforcement. Analysis shows that there are significant differences in money laundering behavior between personal wallets and server-side attacks, reflecting different risk preferences and operational needs.

For example, in 2024-2025, attackers targeting the server side used cross-chain bridges to launder money by “chain jumping”, and the use of mixers was also more frequent. In contrast, stolen funds from personal wallets flowed more to token smart contracts (which may involve exchange), sanctioned entities (especially Garantex, which may imply a connection with Russian perpetrators) and centralized exchanges (CEXs), indicating that money laundering techniques are relatively crude.

In the money laundering process, operators of stolen funds pay excessive fees, and the costs fluctuate dramatically over time. It is worth noting that although the popularity of blockchains and second-layer networks such as Solana has reduced the average transaction cost, the premium paid by operators of stolen funds has increased by 108% during the same period. In addition, attackers targeting service platforms usually pay higher premiums, which may reflect the urgency of their need to quickly transfer large amounts of funds before the funds are frozen.

Overall, these patterns suggest that while the vast majority of hacking attacks are financially motivated (with the exception of individual incidents such as the Nobitex attack on June 19), the operators of the stolen funds do not care about on-chain transaction costs, but instead prioritize transaction speed.

Interestingly, not all stolen funds will immediately enter the money laundering process. Funds stolen from personal wallets are more likely to remain on the chain, with a large amount of balance remaining in the attacker's controlled address rather than being quickly laundered or cashed out. This criminal holding behavior may reflect their confidence in the security of the operation, or imitate mainstream cryptocurrency investment strategies.

Prevention and Mitigation Strategies

The surge in thefts from service platforms and personal wallets requires a multi-layered security mechanism to deal with. For service providers, the lessons learned from major incidents in 2025 reiterate the following key points:

• Comprehensive safety culture
• Regular safety audits
• Employee Screening Process to Identify Social Engineering Attacks

Code auditing is becoming increasingly important, and smart contract vulnerabilities are becoming the fastest growing attack vector. Improvements in technical wallet infrastructure (especially the implementation of multi-signature hot wallets) provide an additional layer of protection for institutional security, and can stop losses in time even if a single key is leaked.

For individuals, the escalation of threats to wallets requires a fundamental reconstruction of security concepts. The correlation between brute force attacks and Bitcoin prices suggests that protecting the privacy of holding coins (such as avoiding public holdings) may be as important as technical measures (using privacy coins or cold wallets). Users in countries with high victim growth need to be particularly vigilant about digital footprints and personal safety.

As cryptocurrency-related kidnappings and violent crimes escalate, real-world personal safety becomes a pressing issue. Cases targeting wealthy cryptocurrency families show that digital asset holders need to consider traditional security measures, including:

• Avoid showing off your wealth
• Do not disclose your holdings or trading dynamics on social media
• Implement basic security protocols (e.g., changing daily routes, vigilant surveillance)

For large holders, professional security consulting may be necessary. The increase in digital wealth and the vulnerability of human beings have created new risks that traditional security systems have not yet fully addressed.

Outlook: Key turning points

Data from 2025 to date shows the evolution of cryptocurrency crime. While the crypto ecosystem has matured in terms of regulatory frameworks and institutional security practices, the capabilities and target range of threat actors have also escalated.

The ByBit incident proves that even industry leaders are still unable to defend against advanced persistent threats; the surge in personal wallet thefts shows that cryptocurrency holders face unprecedented risks. The geographical expansion of crime and the correlation between asset prices and violent attacks have added new dimensions to the already complex security environment.

The detailed blockchain analysis that underpins this report lays the foundation for more effective countermeasures. Law enforcement agencies equipped with comprehensive transaction analysis tools can track funds more efficiently than ever before, and service providers can implement targeted defenses based on attack patterns.

The cryptocurrency industry is at a critical inflection point. The same transparency that facilitates criminal analysis also provides more effective prevention and law enforcement tools. The challenge is how to deploy these capabilities quickly to stay ahead of evolving threats.

As we head into the second half of 2025, the amount of money stolen from cryptocurrency has never been higher. If the amount of money stolen really exceeds $4 billion as predicted, the industry’s response in the coming months may determine whether the crime trend continues to worsen or stabilizes as defenses mature.

Disclaimer: As a blockchain information platform, the articles published on this site only represent the personal opinions of the author and guests, and have nothing to do with the position of Web3Caff. The content of this article is only for information sharing, and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.