2025 Mid-Year Report on Crypto Crimes: Stolen Funds Surge to $2.17 Billion, Proportion of Individual Wallets Stolen Increasing

Main Findings

Fund Theft Situation

Since the beginning of 2025, the funds stolen from cryptocurrency services have exceeded $2.17 billion, far surpassing the total for the whole of 2024. A single trading platform suffered a $1.5 billion hacker attack (the largest single theft in cryptocurrency history), which accounted for the majority of the losses.

As of the end of June 2025, the total amount of stolen funds is 17% higher than the same period in 2022, which was previously the most severe. If the current trend continues, the amount of stolen funds from service platforms may exceed $4 billion by the end of the year.

The proportion of personal Wallet thefts in overall ecological thefts is gradually increasing, with attackers increasingly targeting individual users. From 2025 to the present, such cases account for 23.35% of all stolen fund activities.

Violent or coercive acts against cryptocurrency holders are correlated with Bitcoin price fluctuations, indicating that attackers tend to strike during periods of high value.

Regional Trends

Since 2025, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea have become hotspots for victims.

From a regional perspective, Eastern Europe, the Middle East and North Africa, as well as Central Asia and South Asia, will see the fastest growth in the number of victims from the first half of 2024 to the first half of 2025.

The types of stolen assets vary significantly across different regions, which may reflect the underlying patterns of local cryptocurrency adoption.

money laundering behavior

There are differences in money laundering activities that involve stealing funds from service platforms and individuals. Overall, threat actors targeting service platforms typically exhibit higher technical complexity.

Money launderers often pay excessive fees to transfer funds, with the average premium fluctuating from 2.58 times in 2021 to 14.5 times to date in 2025.

Interestingly, although the average cost of transferring stolen funds in dollars has decreased over time, the multiple of the on-chain average cost has increased.

Attackers targeting individual wallets are more inclined to keep a large amount of stolen funds on-chain rather than laundering them immediately.

Currently, there is still $8.5 billion in cryptocurrency trapped on the chain in theft cases targeting personal Wallets, while the amount stolen from the server is $1.28 billion.

Changes in the Environment of Illegal Activities

Despite significant changes in the encryption environment, the illegal trading volume from 2025 to date is still expected to reach or exceed last year's estimated $51 billion. The closure of a Russian exchange and the potential designation of a Chinese-speaking service provider in Cambodia (which handles over $70 billion in inflows) as a person of particular concern by the U.S. Financial Crimes Enforcement Network have reshaped the way criminals move money within the ecosystem.

In this changing situation, fund theft has become the primary issue of 2025. Other forms of illegal activities have shown mixed performance year-on-year, while the surge in cryptocurrency theft poses a direct threat to ecosystem participants and presents long-term challenges to the industry’s security infrastructure.

funds stolen from the service platform: are on the rise

The cumulative trend of funds stolen from service platforms paints a grim picture of the threat landscape for 2025. The activity so far this year has surpassed the pace of any previous year before June, with the first half of the year breaking the $2 billion mark.

The astonishing aspect of this trend is its speed and persistence. The previous most severe theft from a service platform in 2022 required 214 days to steal $2 billion, while in 2025, a similar scale was achieved in just 142 days. The trend lines for 2023 and 2024, however, show a more moderate accumulation pattern.

As of now, the data for the end of June 2025 has increased by 17.27% compared to the same period in 2022. If this trend continues, the total amount of stolen funds from service platforms in 2025 may exceed $4.3 billion.

A certain trading platform incident: A new benchmark for cybercrime

North Korea's hack of a certain trading platform has completely changed the threat landscape for 2025. This single incident of $1.5 billion is not only the largest cryptocurrency theft in history but also accounts for about 69% of the funds stolen from service platforms this year. Its technical complexity and scale highlight the ongoing escalation of state-sponsored hackers in the cryptocurrency field and signify a strong return after a brief lull in the second half of 2024.

This super attack aligns with the overall pattern of North Korea's cryptocurrency operations, which have become a core part of the country's strategy to evade sanctions. The known losses related to North Korea last year reached $1.3 billion (the worst year previously), and by 2025, this record has already been far exceeded.

The attack method is suspected to have utilized advanced social engineering techniques (such as infiltrating IT personnel related to cryptocurrency services), which is similar to past operations by North Korea. According to the latest report from the United Nations, Western tech companies have inadvertently employed thousands of North Korean workers, highlighting the destructive potential of such methods.

Personal Wallet: The Frontline of Cryptocurrency Crime Not Receiving Adequate Attention

The development of new methods has made it possible to identify and track theft activities originating from individual Wallets. Such illegal activities have a low reporting rate, but their significance is becoming increasingly prominent. Enhanced visualization reveals how attackers diversify their targets and tactics over time.

The proportion of personal wallet thefts in total losses continues to grow. This trend may reflect the following factors:

• Improvements in mainstream service security measures have forced attackers to turn to personal targets, which are seen as easier to exploit.
• The number of individual cryptocurrency holders is increasing.
• As mainstream cryptocurrency assets appreciate, the value of funds in personal wallets increases.
• More complex individual-oriented technology development (possibly benefiting from easily deployable LLM AI tools)

By categorizing the stolen value of personal wallets by asset type, three key trends can be identified:

1. Bitcoin theft accounts for a significant proportion
2. The average loss amount of personal Wallets storing Bitcoin increases over time, indicating that attackers are intentionally targeting high-value targets.
3. The number of individual victims on non-Bitcoin and non-EVM chains (such as Solana) is rising.

These factors indicate that although Bitcoin holders are less likely to become victims of targeted theft compared to holders of other on-chain assets, once victimized, the amount of their losses tends to be exceptionally large. The forward-looking inference is that if the value of native assets increases, the amount stolen from individual Wallets is likely to grow in tandem.

Violent Factors: When Digital Crimes Turn into Physical Harm

An unsettling example of personal Wallet theft is the "wrench attack", where attackers obtain the victim's encryption through violence or coercion. The number of such physical attacks in 2025 is expected to reach twice that of the second highest year in history. It is important to note that due to many cases not being reported, the actual numbers may be even higher.

These violent incidents have a clear correlation with the moving average of Bitcoin prices, indicating that an increase (or expected increase) in asset value may trigger physical attacks against known cryptocurrency holders. Although such violent cases are relatively rare, their personal injury attributes (including disability, kidnapping, and murder) elevate the social impact of these cases to an unconventional level.

Case Study: How Blockchain Analysis Aided in Solving a High-Profile Kidnapping Case in the Philippines

Violent crimes involving money laundering through cryptocurrency pose complex challenges for investigations, often requiring sophisticated analytical methods. A recent high-profile case in the Philippines demonstrated how blockchain analysis can provide crucial leads, even in the most serious criminal investigations.

In March 2024, the kidnapping and murder of Elison Steel CEO Anson Que shocked the business community in the Philippines. On March 29, Que and his driver Armanie Pabillo were kidnapped in Bulacan province, and later found dead in Rizal province, showing signs of clear abuse. Initially believed to be a 20 million peso kidnapping case, investigations revealed that the victim's family actually paid around 200 million pesos in ransom for Que's release.

The Philippine National Police accused the casino intermediary companies 9 Dynasty Group and White Horse Club of orchestrating a complex money laundering operation: converting ransom originally paid in pesos and dollars into cryptocurrency through electronic wallets specifically designed for casinos, shell accounts, and digital assets to conceal the flow of funds.

Using blockchain analysis tools, investigators traced the flow of ransom payments. The analysis revealed how the ransom was aggregated through a series of intermediary addresses, and then further laundered through more intermediary addresses. With the assistance of the police, part of the USDT funds was successfully frozen.

It is worth noting that the money laundering method in this case is relatively crude, which is consistent with the model of many criminal groups that focus on the speed and "anonymity" of cryptocurrency but lack professional skills. Unlike traditional financial investigations where evidence is scattered across different institutions, the blockchain provides a single, authoritative, and tamper-proof ledger, allowing investigators to track the flow of funds in real-time, map networks, and generate cross-border leads.

The tragedy of Anson Que and Armanie Pabillo reminds us of the true human cost behind these crimes. However, this case also proves that the immutability of blockchain technology can be a powerful tool for justice, ensuring that exploiters cannot easily hide in the shadows of the network.

Regional Mode: Global Victim Distribution

By combining geographical location data with reports of stolen funds, the global distribution of personal Wallet victim events can be estimated. Note: This data only includes personal Wallet theft events with reliable geographical location information and is not a complete view of global stolen funds activities in 2025.

From 2025 to the present, the United States, Germany, Russia, Canada, Japan, Indonesia, and South Korea rank as the countries with the highest per capita victim numbers; while the total number of victims in Eastern Europe, the Middle East, North Africa, Central Asia, and South Asia grew the fastest between the first half of 2024 and the first half of 2025.

If ranked by the average amount stolen per person, the United States, Japan, and Germany still remain in the top ten, but the severity of victims in the UAE, Chile, India, Lithuania, Iran, Israel, and Norway is globally leading.

Regional differences in personal Wallet asset theft

Data from 2025 shows that cryptocurrency theft exhibits a regional concentration pattern.

North America ranks first in both Bitcoin and altcoin thefts, which may reflect the region's high adoption rate of encryption and the activity of professional attackers targeting large personal assets. Europe is the global center for Ethereum and stablecoin thefts, which may indicate a high local adoption rate of these assets or attackers' preference for high liquidity assets.

The Asia-Pacific region ranks second in the total amount of stolen Bitcoin, with Ethereum in third place; Central Asia and South Asia rank second in the amount of stolen altcoins and stablecoins. Sub-Saharan Africa ranks last in terms of stolen amounts (with the second lowest amount of stolen Bitcoin), which is more likely to reflect the lower wealth levels in the region rather than a lower victimization rate among cryptocurrency users.