Mid-term Report on Crypto Assets Crimes in 2025: Stolen Funds Rise Significantly, Personal Wallets Become New Targets

Since the beginning of 2025, the Crypto Assets industry has suffered over $2.17 billion in fund thefts, far exceeding the total losses for the entire year of 2024. Among them, North Korea's $1.5 billion hacking attack on a certain trading platform accounts for a major portion, becoming the largest single theft case in the history of Crypto Assets.

As of the end of June 2025, the total amount of stolen funds is 17% higher than in the same period of 2022. If this trend continues, the stolen funds on the platform may exceed $4 billion by the end of the year.

The proportion of personal Wallet thefts in the overall ecosystem thefts is gradually rising, with attackers increasingly targeting individual users. From 2025 to now, such cases account for 23.35% of all stolen fund activities.

"Wrench Attack" (violent or coercive actions against Crypto Assets holders) is correlated with Bitcoin price fluctuations, indicating that attackers tend to strike during high-value periods.

Since 2025, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea have become concentrated areas of victims. Regionally, Eastern Europe, the Middle East and North Africa, as well as Central Asia and South Asia have seen the fastest rise in the number of victims from the first half of 2024 to the first half of 2025.

The types of stolen assets vary significantly across different regions, which may reflect the underlying patterns of local Crypto Assets adoption.

There are differences in money laundering activities that involve stealing funds from service platforms and individuals. Overall, threat actors targeting service platforms tend to exhibit higher technical complexity.

Money launderers often pay excessive fees to transfer funds, with the average premium fluctuating from 2.58 times in 2021 to 14.5 times as of 2025.

Attackers targeting personal Wallets tend to keep a large amount of stolen funds on-chain rather than immediately laundering them. Currently, there are still $8.5 billion in Crypto Assets trapped on-chain in theft cases targeting personal Wallets, while the stolen funds from servers amount to $1.28 billion.

Despite significant changes in the encryption environment, the illegal trading volume from 2025 to the present is still expected to reach or exceed last year's estimated $51 billion. The closure of a sanctioned exchange and a service provider potentially being designated as a person of special interest by the U.S. Financial Crimes Enforcement Network have reshaped the flow of funds for criminals in the ecosystem.

In this changing situation, fund theft has become the primary issue in 2025. Other forms of illegal activities show mixed performance year-on-year, while the surge in Crypto Assets theft not only poses a direct threat to ecosystem participants but also brings long-term challenges to the industry's security infrastructure.

The cumulative trend of stolen funds from service platforms depicts a severe scenario for the threat landscape in 2025. In the first half of this year, it has already surpassed the $2 billion mark, with a speed far exceeding previous years. If this trend continues, the total stolen funds from service platforms in 2025 alone could exceed $4.3 billion.

A hacker attack on a trading platform has completely transformed the threat landscape in 2025. This $1.5 billion single incident is not only the largest theft of Crypto Assets in history but also accounts for about 69% of the funds stolen from service platforms this year. Its technical complexity and scale highlight the ongoing escalation of state-sponsored hackers in the realm of Crypto Assets, marking a strong return after a brief lull in the second half of 2024.

The proportion of personal Wallet theft in total losses continues to rise. This trend may reflect the following factors:

• Mainstream service security measures have improved, forcing attackers to turn to personal targets that are seen as easier to exploit.
• The number of individual Crypto Assets holders is on the rise
• With the rise of mainstream crypto assets, the value of funds in personal wallets increases.
• More complex individual orientation technology development

By analyzing the value of personal Wallet thefts by asset type, three key trends can be identified:

1. Bitcoin theft accounts for a significant proportion.
2. The average loss amount of personal wallets storing Bitcoin increases over time, indicating that attackers deliberately target high-value targets.
3. The number of individual victims on non-Bitcoin and non-EVM chains (such as Solana) is rising.

These factors suggest that while Bitcoin holders have a lower probability of becoming victims of targeted theft compared to holders of other on-chain assets, the amount of loss they incur when they do become victims is exceptionally large. The forward-looking inference is that if the value of native assets rises, the amount stolen from individual Wallets is likely to increase in tandem.

"Wrench attack" refers to attackers obtaining the victim's Crypto Assets through violent or coercive means. The number of such physical attacks is expected to double in 2025 compared to the second highest year in history. These violent incidents show a significant correlation with the moving average of Bitcoin prices, indicating that a rise (or expected rise) in asset value may trigger physical attacks against known coin holders.

From 2025 to the present, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea rank among the countries with the highest per capita number of victims; meanwhile, the total number of victims in Eastern Europe, the Middle East, North Africa, Central Asia, and South Asia grew the fastest between the first half of 2024 and the first half of 2025.

If ranked by the average amount stolen per person, the United States, Japan, and Germany still remain in the top ten, but the severity of the victims in the UAE, Chile, India, Lithuania, Iran, Israel, and Norway leads the world.

Data from 2025 shows that there is a regional concentration pattern in crypto assets theft. North America ranks first in both Bitcoin and altcoin theft, which may reflect the high adoption rate of crypto assets in the region and the activity of professional attackers targeting large personal assets. Europe is the global center for Ethereum and stablecoin theft, which may indicate a high adoption rate of these assets locally or attackers' preference for highly liquid assets.

The Asia-Pacific region ranks second in the total amount of stolen Bitcoin, with Ethereum in third place; Central Asia and South Asia rank second in the amount stolen in altcoins and stablecoins. Sub-Saharan Africa ranks last in the amount stolen (with Bitcoin theft ranking second to last), which is more likely to reflect the lower wealth levels in the region rather than a lower victimization rate for cryptocurrency users.

Analysis shows that there are significant differences in money laundering behaviors between personal Wallets and server-side attacks, reflecting different risk preferences and operational needs. From 2024 to 2025, attackers targeting servers are extensively using cross-chain bridges for "chain jumping" money laundering, with the use of mixers also becoming more frequent. In contrast, funds stolen from personal Wallets are more often directed towards token smart contracts (which may involve exchanges), sanctioned entities, and centralized exchanges, indicating relatively crude money laundering techniques.

During the money laundering process, operators of stolen funds pay excessive fees, and costs fluctuate dramatically over time. It is worth noting that although the popularity of certain blockchains and layer two networks has reduced the average transaction costs, the premium paid by operators of stolen funds has actually increased by 108% during the same period. Additionally, attackers targeting service platforms typically pay higher premiums, which may reflect their urgency to quickly transfer large amounts of funds before those funds are frozen.

These patterns generally indicate that, although the vast majority of hacker attacks are financially motivated, the operators of stolen funds do not care about on-chain transaction costs, but rather prioritize transaction speed.

Interestingly, not all stolen funds immediately enter the money laundering process. Stolen funds from personal Wallets tend to remain on-chain, with large balances staying in the attacker-controlled address rather than being quickly laundered or cashed out. This behavior of the criminals holding onto the funds may reflect their confidence in operational security, or mimic mainstream Crypto Assets investment strategies.

The surge in thefts of service platforms and personal Wallets necessitates a multi-layered security mechanism to respond. For service providers, the lessons from major events in 2025 reiterate the following key points:

• Comprehensive Security Culture
• Regular Security Audit
• Employee screening process to identify social engineering attacks

Code auditing is becoming increasingly important, as smart contract vulnerabilities are becoming the fastest-growing attack vector. Improvements in the technical Wallet infrastructure (especially the implementation of multi-signature hot Wallets) provide an additional layer of protection for institutional security, allowing for timely loss prevention even if a single key is compromised.

For individuals, the escalation of threats against wallets requires a fundamental reconstruction of security concepts. The correlation between violent attacks and Bitcoin prices suggests that protecting coinholder privacy (such as avoiding public holdings) may be as important as technical measures (using privacy coins or cold wallets). Users in countries with high victim rise need to be particularly vigilant about their digital footprints and personal safety.

As the kidnapping and violent crimes related to crypto assets escalate, personal safety in the real world has become an urgent issue. Cases targeting the families of wealthy crypto asset holders indicate that digital asset holders need to consider traditional security measures, including:

• Avoid flaunting wealth
• Do not disclose positions or trading dynamics on social media
• Implement basic security protocols (such as changing daily routes, being vigilant against surveillance)

For large holders, professional security consulting may be necessary, as the increase in digital wealth creates new risks that traditional security systems have not yet fully addressed.

Data from 2025 to the present shows the evolutionary trajectory of Crypto Assets crime. Although the crypto ecosystem has matured in regulatory frameworks and institutional security practices, the capabilities and target range of threat actors have also upgraded accordingly.

An incident proof from a trading platform shows that even leading entities in the industry find it difficult to resist advanced persistent threats; the surge in personal Wallet thefts indicates that Crypto Assets holders are facing unprecedented risks. The expansion of criminal territories and the correlation between asset prices and violent attacks add a new dimension to an already complex security environment.

The detailed analysis of the blockchain supporting this report lays the foundation for more effective countermeasures. Law enforcement equipped with comprehensive transaction analysis tools can track funds more efficiently than ever before, while service providers can base their actions on.