Buy BTCSell BTC
Home Hodl Hodl BlogBitcoin's deadly bull run: The 2025 security crisis

Bitcoin's deadly bull run: The 2025 security crisis

S
Sergejs Ponomarjovs 10 min read

Bitcoin's run above $120,000—reaching new all-time highs above $125,000 in early October 2025—has coincided with a dual security crisis: a sharp rise in violent "wrench attacks" against holders and record-pace digital thefts targeting the broader digital asset ecosystem, with North Korea linked to the year's largest incident. Chainalysis' mid-year findings show 2025 is on track to surpass prior records for value stolen from services, and that physical attacks rise with bitcoin's forward-looking price trend. Bitcoin's latest price highs were reached on October 5, 2025.

The picture that emerges from public data and primary sources:

  • Physical attacks are surging alongside price. Chainalysis documents a clear price-attack correlation and says 2025 is "well on track" to exceed prior peak years. An independent analysis reported a 169% increase in incidents over roughly six and a half months in 2025, drawing on Chainalysis data and Jameson Lopp's incident log. Lopp's long-running open database shows dozens of cases in 2025, already eclipsing many prior years.

  • North Korea and the Bybit theft dominate this year's service losses. On February 21, 2025, attackers stole about 401,000 ETH (~$1.5B) from exchange Bybit. On February 26, the FBI attributed the theft to DPRK actors tracked as TraderTraitor and published laundering addresses. Chainalysis notes that Bybit alone accounts for ~69% of all funds stolen from services year-to-date.

  • Digital theft totals and pace. Chainalysis recorded $2.17B stolen from services through June17% more than 2022 at the same point—and 2025 reached $2B in 142 days versus 214 in 2022. September was particularly heavy: CertiK counted 16 incidents above $1M and about $156M in losses, while PeckShield tallied roughly $127M using a stricter set. Separate reporting on Q3 indicates centralized services bore the largest share that quarter.

Physical attacks: what the 2025 spike actually shows

  • Correlation with price. Chainalysis finds a "clear correlation" between wrench-type incidents and a forward-looking moving average of bitcoin's price: as expected future value rises, attacks follow.

  • Geography. Chainalysis highlights growth in Eastern Europe, MENA, and CSAO (Central, Southern & Eastern Asia and Oceania), while the United States and several G7 economies still account for many incidents. France has seen multiple high-profile cases in 2025 involving kidnappings and severe violence.

  • "One per week" warning. SatoshiLabs founder Alena Vránová told the Baltic Honeybadger 2025 audience that "every week, at least one Bitcoiner somewhere in the world is kidnapped, tortured or extorted." Coverage also noted incidents over amounts as low as ~$6,000 and murders near ~$50,000.

The Bybit catastrophe: attribution, method, and laundering

While Bybit is an altcoin exchange and the stolen assets were Ethereum-based, the incident illustrates the threats facing the entire digital asset space—including Bitcoin holders who use centralized services.

  • Attribution. The FBI's February 26 Public Service Announcement formally links the Bybit theft to DPRK's TraderTraitor actors, publishes addresses, and warns services to block associated flows. TRM Labs independently mapped overlaps with prior DPRK operations.

  • Probable attack path. Multiple post-mortems indicate a supply-chain/UI-level compromise connected to Safe{Wallet} infrastructure, in which malicious code or signer deception redirected a routine cold-to-hot transfer. Safe reported a developer machine compromise tied to one affected account.

  • Laundering speed. At least $160M moved within 48 hours, with hundreds of millions moved within days via swaps and bridges before off-ramps.

  • Shift into BTC. On March 20, 2025, Bybit CEO Ben Zhou said 86.29% of the stolen ETH had been converted to bitcoin as part of DPRK laundering.

2025's theft landscape and evolving methods

  • Totals and pace. $2.17B stolen from services by June (mid-year), 17% ahead of the 2022 pace; 2025 reached $2B in 142 days versus 214 in 2022.

  • Target shift. Exploitation of human and infrastructure weaknesses (keys, session tokens, third-party dev environments) continues to outpace pure protocol-level bugs. Personal-wallet compromises represent ~23.35% of stolen value year-to-date, a marked increase.

  • Unlaundered balances. Chainalysis estimates ~$8.5B from personal-wallet thefts and ~$1.28B from service thefts remain on-chain and not yet laundered.

  • North Korea's share. Separate Q3 tallies indicate about half of stolen funds were linked to DPRK-associated activity during the quarter.

  • What launderers pay for speed. To push funds through quickly, laundering entities paid ~14.5× the baseline on-chain fee in 2025 versus ~2.58× in 2021—even as average network fees fell roughly 89% since 2022.

  • Mixers and OTC. As sanctions removed prior mixers from play, YoMix grew >5× in 2023, with ~one-third of inflows tied to hack-associated wallets, and was adopted by DPRK-linked actors.

DPRK's broader campaign: social engineering and IT-worker infiltration

  • DMM Bitcoin (May 2024) shows the playbook. An employee at Ginco (DMM's wallet software vendor) was lured via a fake LinkedIn recruiter into running a malicious GitHub "coding test," enabling session-cookie theft and a manipulated wallet operation that moved 4,502.9 BTC.

  • IT-worker schemes at scale. On June 30, 2025, the U.S. Justice Department announced coordinated actions across 16 states, including searches of 29 laptop-farm locations and seizure of ~200 computers tied to DPRK remote-work revenue operations and related identity theft. U.S. Treasury guidance and sanctions throughout 2023–2025 emphasize that DPRK cyber and IT-worker activity funds WMD and missile programs. The FBI's January 23, 2025 advisory specifically warns of data-extortion by discovered DPRK IT workers.

The data-exposure problem

  • Massive leak surface. Vránová told Baltic Honeybadger attendees that >80 million digital-asset user identities are exposed online and ~2.2 million include home addresses—data criminals can cross-reference with on-chain heuristics to select targets.

  • Structure matters. Transparent, public-ledger activity is a feature, but when combined with centralized KYC data leaks, it creates a targeting map. Chainalysis emphasizes that operational security—keeping balances and personal details private—matters as much as device hygiene.

Practical security guidance for Bitcoiners (tiered by amount)

The goal is to remove single points of failure, reduce coercion risk, and preserve recoverability. This is not an endorsement of any custodial platform.

Under ~$10,000 (spending stack)

  • Use reputable mobile wallets with robust spending controls and 2FA on linked accounts. Consider Blockstream Green or BlueWallet.
  • Basic OPSEC: don't advertise holdings; separate identity from spending; keep device OS up to date.

~$10,000–$100,000 (savings stack)

  • Prefer hardware signing devices with air-gapped flows and metal backups stored separately. Trezor, Coldcard, Ledger are widely used.
  • Consider a simple 2-of-3 multisig using different vendors for key diversity; distribute backups geographically.

>$100,000 (vault stack)

  • Move to multisig setups to eliminate single-key failure and mitigate coercion risk; distribute keys across jurisdictions where possible.
  • Debifi offers non-custodial Bitcoin multisig solutions for high-value holdings.
  • Add time-locks and transaction policies where supported; implement inheritance protocols and out-of-band recovery instructions.
  • For public-facing individuals: professional physical-security consultation and home-address privacy hygiene.

Universal

  • Treat emails/DMs about "job tests," "urgent code reviews," or "wallet updates" as hostile by default. Validate out-of-band. (See DMM/Ginco case above.)
  • Separate devices and accounts by role (spend vs. sign vs. browse). Use passphrases and hardware-level PIN delays. Don't keep seed phrases where they can be found under duress.

Industry response

  • TRM Labs' Beacon Network. In August 2025, TRM Labs launched Beacon Network, a real-time crime-response system with major exchanges and payment firms to flag and halt tainted flows as they hit participating platforms.

Price context and the security corollary

  • Bitcoin set a then-record above $124,000 on August 14, 2025 and pushed to new highs above $125,000 on October 5, 2025.
  • Chainalysis' research indicates wrench-attack activity rises with price and expectations of future price—a forward-looking effect.

Bottom line

  • Physical risk: documented, global, and rising with price; vigilance and multisig-based designs are no longer optional.
  • Digital risk: adversaries increasingly exploit people and infrastructure, not just code; DPRK's TraderTraitor remains the most capable organized threat actor in this space.
  • Mitigation: mature OPSEC, collaborative custody, and faster cross-industry responses (e.g., Beacon) can materially cut risk—if adopted widely.

As Bitcoin developer Jameson Lopp has long cautioned, when value rises, determined adversaries follow. The task for 2025 and beyond is ensuring user security evolves just as quickly.

S
Sergejs Ponomarjovs