2025 Mid-Year Report on Crypto Crime: Surge in Stolen Funds, Rising Proportion of Personal Wallet Thefts
TechFlow Selected TechFlow Selected
2025 Mid-Year Report on Crypto Crime: Surge in Stolen Funds, Rising Proportion of Personal Wallet Thefts
Even leading industry platforms struggle to defend against advanced persistent threats, while the surge in individual wallet thefts indicates that cryptocurrency holders face unprecedented risks.
Navigating Web3 tides with focused insightsAuthor: Chainalysis
Translation: AididiaoJP, Foresight News
Key Findings
Stolen Funds
As of 2025, cryptocurrency services have suffered over $2.17 billion in thefts—exceeding the total for all of 2024. The $1.5 billion hack of ByBit by North Korea (the largest single theft in crypto history) accounts for the majority of these losses.
By the end of June 2025, the total stolen amount was 17% higher than the same period during the previously worst year, 2022. If current trends continue, stolen funds from service platforms could surpass $4 billion by year-end.
Theft from personal wallets is increasingly contributing to overall ecosystem thefts, as attackers increasingly target individual users. So far in 2025, such incidents account for 23.35% of all stolen fund activity.
"Wrench attacks" (acts of violence or coercion against cryptocurrency holders) correlate with Bitcoin price fluctuations, suggesting attackers tend to strike during high-value periods.
Regional Trends
From January 2025 to mid-2025, the U.S., Germany, Russia, Canada, Japan, Indonesia, and South Korea have emerged as hotspots for victims.
Regionally, Eastern Europe, the Middle East and North Africa, and Central and South Asia saw the fastest growth in victim counts between the first half of 2024 and the first half of 2025.
There are also significant regional differences in the types of stolen assets, likely reflecting local patterns of cryptocurrency adoption.
Money Laundering Behavior
Money laundering behaviors differ between stolen funds from service platforms and those from individuals. Overall, threat actors targeting service platforms typically exhibit higher technical sophistication.
Money launderers often pay substantial premiums to move funds, with average markups fluctuating from 2.58x in 2021 to 14.5x so far in 2025.
Interestingly, while the average dollar cost of transferring stolen funds has declined over time, the on-chain markup multiple has increased.
Attackers targeting personal wallets are more inclined to keep large amounts of stolen funds on-chain rather than immediately laundering them.
Currently, $8.5 billion in cryptocurrency from personal wallet thefts remains on-chain, compared to $1.28 billion from service-side thefts.
Changing Landscape of Illegal Activities
Despite major shifts in the crypto environment, the volume of illegal transactions in 2025 is on track to reach or exceed last year’s estimated $51 billion. The closure of Russia-based sanctioned exchange Garantex and the potential designation of Cambodian Chinese-language service Huione Group (which processed over $70 billion in inflows) as a person of interest by the U.S. Financial Crimes Enforcement Network (FinCEN) have reshaped how criminals route funds within the ecosystem.
In this shifting landscape, fund theft has become the primary issue in 2025. Other forms of illegal activity show mixed year-on-year performance, while the surge in cryptocurrency theft poses not only direct threats to ecosystem participants but also long-term challenges to industry security infrastructure.
Service Platform Theft: Rapidly Escalating
The cumulative trend of stolen funds from service platforms paints a grim picture of the 2025 threat landscape. The orange line representing 2025 activity rose much faster than any previous year, surpassing $2 billion in the first half alone.
The alarming aspect of this trend is its speed and persistence. In 2022—the previous worst year—it took 214 days to reach $2 billion in stolen funds from service platforms, whereas in 2025 it took only 142 days to achieve a similar scale. Trends in 2023 and 2024 followed a more gradual accumulation pattern.
As of late June 2025, data shows a 17.27% increase compared to the same period in 2022. If the trend continues, annual stolen funds from service platforms in 2025 could exceed $4.3 billion.
The ByBit Incident: A New Benchmark in Cybercrime
The North Korean hack of ByBit has fundamentally altered the 2025 threat landscape. This single $1.5 billion incident is not only the largest cryptocurrency theft in history but also accounts for approximately 69% of all service platform thefts in 2025. Its technical complexity and scale underscore the growing capabilities of state-sponsored hackers in the crypto space and mark a strong resurgence after a brief lull in late 2024.
This mega-attack aligns with North Korea’s overall cryptocurrency operations, which have become a core component of its sanctions-evasion strategy. Last year's known losses linked to North Korea reached $1.3 billion (the previous record), already surpassed in 2025.
The attack method reportedly involved advanced social engineering tactics (such as infiltrating IT personnel at crypto-related services), consistent with past North Korean operations. According to the latest UN report, Western tech companies have unknowingly employed thousands of North Korean workers, highlighting the destructive potential of such methods.
Personal Wallets: An Underappreciated Frontier in Crypto Crime
Chainalysis has developed new methods to identify and track theft activities originating from personal wallets. Although these crimes are underreported, their significance is growing. Enhanced visualization reveals how attackers have diversified their targets and tactics over time.
As shown in the chart below, the proportion of total losses due to personal wallet thefts continues to rise. This trend may reflect the following factors:
-
Improved security measures at mainstream services force attackers to shift toward targets perceived as easier to exploit
-
Growing number of individual cryptocurrency holders
-
Increasing value of funds in personal wallets as major crypto assets appreciate
-
Development of more sophisticated individual targeting techniques (potentially enabled by accessible LLM AI tools)
Breaking down the value of personal wallet thefts by asset type (see chart below) reveals three key trends:
-
Bitcoin theft constitutes a significant share
-
The average loss per Bitcoin wallet increases over time, indicating attackers are deliberately targeting high-value individuals
-
The number of individual victims on non-Bitcoin and non-EVM chains (such as Solana) is rising
These factors suggest that although Bitcoin holders are less likely to be targeted than holders of assets on other chains, their losses when attacked are exceptionally large. A forward-looking inference is that if native asset values rise, the amount stolen from personal wallets will likely grow correspondingly.
Physical Violence: When Digital Crime Turns into Bodily Harm
An unsettling example in personal wallet thefts is the "wrench attack," where attackers obtain cryptocurrency through physical violence or coercion. The chart below shows that in 2025, the number of such physical attacks could reach twice the level of the second-highest historical year. It should be noted that actual numbers may be even higher due to widespread underreporting.
These violent incidents show a clear correlation with the moving average of Bitcoin prices, suggesting that rising (or anticipated) asset values may trigger physical attacks against known cryptocurrency holders. While such violent cases remain relatively rare, their nature—including disability, kidnapping, and murder—elevates their societal impact to an extraordinary level. The case study below illustrates this.
(Source: Jameson Lopp GitHub)
Case Study: How Blockchain Analysis Helped Solve a High-Profile Kidnapping in the Philippines
Violent crimes involving cryptocurrency money laundering present complex investigative challenges, often requiring sophisticated analytical methods. A recent high-profile case in the Philippines demonstrates how blockchain analysis can provide crucial leads, even in the most severe criminal investigations.
In March 2024, the abduction and murder of Anson Que, CEO of Elison Steel, shocked the Philippine business community. On March 29, Que and his driver Armanie Pabillo were kidnapped in Bulacan province and later found dead in Rizal province, with clear signs of abuse. Initially believed to be a 20 million peso kidnapping, investigations revealed that the victims' families actually paid about 200 million pesos in ransom for Que’s release.
The Philippine National Police (PNP) accused casino intermediary companies 9 Dynasty Group and White Horse Club of orchestrating a complex money laundering operation: converting ransom payments originally made in pesos and dollars into cryptocurrency via electronic wallets designed for casinos, shell accounts, and digital assets to obscure the trail.
Using the Chainalysis Reactor tool, the global services team collaborated with PNP investigators to trace the ransom flow. Blockchain analysis revealed how partial ransom payments were aggregated through a series of intermediary addresses and then further laundered through additional intermediaries. With assistance from the PNP, Chainalysis notified Tether and successfully froze part of the USDT funds.
Notably, the money laundering technique in this case was relatively crude, consistent with many criminal groups that adopt cryptocurrency for its speed and perceived "anonymity" but lack technical expertise. Unlike traditional financial investigations where evidence is scattered across institutions, blockchain provides a single, authoritative, and immutable ledger, enabling investigators to track fund movements in real time, map networks, and generate cross-border leads.
The tragedies of Anson Que and Armanie Pabillo remind us of the real human cost behind these crimes. Yet this case also proves that the immutability of blockchain technology can serve as a powerful tool for justice, ensuring that perpetrators cannot easily hide in the shadows of the internet.
Geographic Patterns: Global Distribution of Victims
Combining Chainalysis geolocation data with reported stolen fund incidents allows estimation of the global distribution of personal wallet victim events. Note: This data includes only personal wallet thefts with reliable geolocation information and does not represent a complete view of all 2025 global theft activity.
So far in 2025, the U.S., Germany, Russia, Canada, Japan, Indonesia, and South Korea rank highest in per capita victim counts; meanwhile, Eastern Europe, the Middle East and North Africa, and Central and South Asia saw the fastest growth in total victim numbers between the first half of 2024 and the first half of 2025.
When ranked by average stolen amount per capita (see chart below), the U.S., Japan, and Germany remain in the top ten, but the UAE, Chile, India, Lithuania, Iran, Israel, and Norway rank among the most severely affected globally.
Regional Differences in Stolen Assets from Personal Wallets
Data from 2025 shows geographic concentration patterns in cryptocurrency thefts. The chart below breaks down total stolen value by region and asset type.
North America leads in both Bitcoin and altcoin thefts, possibly reflecting high cryptocurrency adoption rates and the presence of professional attackers targeting large individual holdings. Europe is the global center for Ethereum and stablecoin thefts, potentially indicating high local adoption or attacker preference for highly liquid assets.
The Asia-Pacific region ranks second in total Bitcoin thefts and third in Ethereum; Central and South Asia rank second in altcoin and stablecoin thefts. Sub-Saharan Africa ranks lowest in total stolen value (second to last in Bitcoin thefts), which more likely reflects lower wealth levels than a lower victimization rate among crypto users.
The Economics of Cryptocurrency Money Laundering
Understanding how stolen funds move within the crypto ecosystem is crucial for prevention and law enforcement. Analysis shows significant differences in money laundering behavior between personal wallets and service-side attacks, reflecting different risk preferences and operational needs.
For example, attackers targeting service-side systems heavily used cross-chain bridges for "chain-hopping" money laundering between 2024 and 2025, and mixers were also used more frequently. In contrast, stolen funds from personal wallets more often flowed into token smart contracts (possibly involving swaps), sanctioned entities (especially Garantex, suggesting links to Russian perpetrators), and centralized exchanges (CEXs), indicating relatively crude laundering techniques.
During money laundering, operators of stolen funds pay excessive fees, with costs fluctuating sharply over time. Notably, despite the proliferation of blockchains like Solana and Layer 2 networks reducing average transaction costs, the premium paid by stolen fund operators increased by 108% during the same period. Moreover, attackers targeting service platforms typically pay higher premiums, possibly reflecting the urgency of moving large sums before funds are frozen.
Overall, these patterns indicate that although the vast majority of hacks are financially motivated (with rare exceptions like the June 19 Nobitex attack), stolen fund operators prioritize transaction speed over on-chain cost.
Interestingly, not all stolen funds enter immediate laundering processes. Stolen funds from personal wallets are more likely to remain on-chain, with large balances staying in addresses controlled by attackers rather than being quickly laundered or cashed out. This hoarding behavior may reflect confidence in operational security or mimic mainstream crypto investment strategies.
Prevention and Mitigation Strategies
The surge in thefts from both service platforms and personal wallets requires multi-layered security mechanisms. For service providers, lessons from major 2025 incidents reinforce the following key points:
-
Comprehensive security culture
-
Regular security audits
-
Employee screening processes capable of detecting social engineering attacks
Code audits are becoming increasingly important, as smart contract vulnerabilities are emerging as the fastest-growing attack vector. Improvements in custodial wallet infrastructure—particularly the implementation of multi-signature hot wallets—provide an additional layer of institutional security, enabling damage control even if a single key is compromised.
For individuals, the escalating threat to wallets demands a fundamental rethinking of security practices. The correlation between violent attacks and Bitcoin prices suggests that protecting holding privacy (e.g., avoiding public disclosure of holdings) may be as important as technical measures (such as using privacy coins or cold wallets). Users in high-victim countries need to be especially vigilant about their digital footprint and personal safety.
As kidnappings and violent crimes related to cryptocurrency escalate, real-world personal safety has become an urgent issue. Cases involving families of crypto millionaires indicate that digital asset holders should consider traditional security measures, including:
-
Avoiding conspicuous wealth
-
Not disclosing holdings or trading activity on social media
-
Implementing basic security protocols (e.g., varying daily routines, watching for surveillance)
For large holders, professional security consulting may be necessary, as increased digital wealth creates new risks in personal vulnerability that traditional security systems have not yet fully addressed.
Outlook: A Critical Turning Point
Data from early 2025 reveals the evolving trajectory of cryptocurrency crime. While the crypto ecosystem matures in regulatory frameworks and institutional security practices, threat actors’ capabilities and target scopes are also advancing in parallel.
The ByBit incident proves that even leading industry players remain vulnerable to advanced persistent threats; the surge in personal wallet thefts highlights unprecedented risks facing cryptocurrency holders. The geographical expansion of crime and the link between asset prices and violent attacks add new dimensions to an already complex security environment.
The detailed blockchain analysis underpinning this report lays the foundation for more effective countermeasures. Law enforcement equipped with comprehensive transaction analysis tools can now trace funds more efficiently than ever before, while service providers can implement targeted defenses based on attack patterns.
The cryptocurrency industry stands at a critical turning point. The same transparency that enables crime analysis also provides more efficient tools for prevention and law enforcement. The challenge lies in rapidly deploying these capabilities to stay ahead of continuously evolving threats.
As we enter the second half of 2025, stolen cryptocurrency funds are at unprecedented highs. If thefts truly exceed $4 billion as predicted, the industry’s response in the coming months may determine whether criminal trends continue to worsen or stabilize as defense systems mature.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
Chainalysis
