Theft, Explained

In the cryptocurrency context, theft refers to the unauthorized taking of digital assets or the data and credentials that control them—through hacking, social engineering, insider abuse, or physical coercion. Because blockchain transactions are typically irreversible and pseudonymous, stolen crypto is often unrecoverable, making theft one of the defining risks of the asset class.

This page explains how crypto theft happens, who the major actors are, how stolen funds move and are sometimes recovered, and what individuals and institutions can do to reduce their exposure.

How crypto theft differs from traditional theft

Two structural features of public blockchains shape every theft scenario. First, settlement is final: once a valid transaction is confirmed, there is no chargeback mechanism and no central administrator who can reverse it. Second, control of an asset is defined entirely by control of a private key. Whoever holds the key can move the funds, which means the practical target of most "crypto theft" is not the coins themselves but the keys, seed phrases, or account credentials that authorize a transaction.

This has a counterintuitive consequence. Although on-chain activity is transparent—every transfer is publicly visible—the openness does little to stop the initial theft. It only helps afterward, when investigators trace where funds went. The transparency is why blockchain analytics firms and the FBI can sometimes follow stolen assets across hundreds of wallets, even when they cannot freeze them.

0xpmm.eth

Feb 23, 2026

View article →

⚠️ Anthropic Uncovers Massive Illicit Distillation Campaigns by Chinese AI Labs Using Millions of Fraudulent Claude Queries, Calls for Coordinated Global Action to Stop Capability Theft and Safety Erosion.

Anthropic • Feb 23, 2026

The main categories of crypto theft

Protocol and exchange hacks. These are the large-dollar events that dominate headlines: attackers exploit a smart-contract bug, a bridge vulnerability, or compromised infrastructure to drain a platform. According to Chainalysis, more than $3.4 billion in crypto was stolen globally in 2025, with the February breach of the exchange Bybit alone accounting for roughly $1.5 billion (Chainalysis). Such events frequently involve compromised signing devices or developer environments rather than a flaw in the underlying token.

Social engineering and phishing. Many losses begin with a convincing lie rather than a code exploit. Fake apps are a recurring vector: Apple removed a fraudulent Ledger application linked to roughly $9.5 million in losses, and community alerts have flagged counterfeit Hyperliquid and other wallet apps in official app stores. Attackers also weaponize cultural hype—security firm NordVPN warned that anticipation around major game releases such as GTA 6 is being used as bait to distribute malware and steal credentials.

Infostealers and device compromise. Malware that silently harvests passwords, browser sessions, and wallet files is a growing source of loss. Russian-language cybercriminal groups have used fake Web3 games to spread infostealers that scrape wallet data, and researchers warn that aging hardware—such as unsupported iPhones that no longer receive security patches—heightens exposure to exploits and spyware. The common thread is that the user's own device becomes the breach point.

Insider and supply-chain abuse. Not all theft requires breaking in from outside. Coinbase disclosed that cybercriminals bribed overseas customer-support contractors to access user data; the company estimated remediation costs of $180 million to $400 million and said the breach touched roughly 1% of its customer base (SEC 8-K). The Coinbase case shows that exchanges' human and vendor layers can be as vulnerable as their code.

Physical and identity-based theft. As crypto wealth has grown, so has old-fashioned coercion—so-called "wrench attacks" in which holders are physically threatened into transferring funds. Identity theft is a related upstream risk: data-broker breaches that expose personal information feed targeted scams. One analysis tied roughly $21 billion in identity-theft losses to just four data-broker breaches, fueling renewed interest in on-chain privacy tools.

State-sponsored theft and North Korea

The single most important actor in crypto theft is the North Korean state. Chainalysis estimated that DPRK-linked groups stole about $2.02 billion in 2025—roughly 59% of all crypto stolen that year—pushing their all-time total above $6.75 billion (Fortune). The Bybit heist was attributed to a North Korean cluster sometimes labeled TraderTraitor, operating under the broader "Lazarus Group" umbrella tied to the country's Reconnaissance General Bureau.

For Pyongyang, crypto theft functions as a revenue engine for a heavily sanctioned regime, with proceeds widely assessed to support weapons programs. The tactics are sophisticated and increasingly automated. Reports indicate North Korean operators have used advanced AI tooling—including deepfakes and automated attack pipelines—to scale operations. A particularly insidious technique is workforce infiltration: analysts estimate that a meaningful share of crypto firms may unknowingly employ DPRK nationals using stolen or fabricated identities, and that a substantial fraction of applications to some crypto roles trace back to such operatives. These embedded "IT workers" can siphon funds, plant backdoors, or gather intelligence from inside the target.

State involvement is not limited to North Korea. The United States has sanctioned firms tied to other governments for crypto-fueled cyber operations, including the Russian company "Operation Zero" over trade-secret theft. The pattern reflects a broader reality: crypto's borderless, hard-to-freeze nature makes it attractive to sanctioned and state-aligned actors.

Danicjade

Dec 9, 2025

View article →

A 22-year-old California man has pleaded guilty to laundering millions for a massive $263M crypto theft ring that began as a group of online gaming friends before evolving into a full-scale RICO syndicate targeting hardware-wallet holders and high-value crypto users.

The Block • Dec 9, 2025

Top Comment

Spencer420

Dec 10, 2025

TL;DR "22-year-old California resident Evan Tangeman pleaded guilty to laundering $3.5 million for a social engineering scheme that stole $263 million worth of crypto. Tangeman assisted the scheme by using a bulk-cash converter to exchange the stolen crypto into cash, which was used to obtain rental homes. Tangeman is the ninth defendant to plead guilty in the investigation."

How stolen funds move—and how they are traced

After a theft, attackers try to break the on-chain link between the stolen funds and an identity they can be arrested for. Typical laundering steps include splitting funds across many wallets ("peel chains"), routing through cross-chain bridges and swap services, using mixers to obscure provenance, and eventually cashing out through exchanges with weak controls. In the $3 million theft from an Ellipal wallet, blockchain sleuths traced the attacker converting XRP through more than 120 cross-chain swaps—an illustration of both how funds scatter and how transparently the trail can be reconstructed.

That same transparency underpins recovery efforts. Because the ledger is public, investigators, exchanges, and analytics firms can flag tainted addresses, pressure off-ramps to freeze deposits, and build cases. Victims sometimes crowdsource the hunt with bounties: Fenbushi Capital founder Bo Shen offered up to 20% of recovered funds for information on a $42 million theft. Recovery is far from guaranteed—mixed or bridged funds can be effectively lost—but it is more feasible than in cash-based crime.

Law enforcement and the role of the FBI

U.S. and international law enforcement have become active participants in crypto-theft cases. The FBI has pursued both external hackers and insider schemes: in one case it arrested a U.S. contractor's son in connection with a $46 million theft from wallets controlled by the U.S. Marshals Service, raising pointed questions about how seized government crypto is custodied. Prosecutors have also dismantled organized rings—a 22-year-old California man pleaded guilty to laundering proceeds of a $263 million theft operation that prosecutors described as a RICO syndicate, which reportedly grew out of a group of online gaming acquaintances and targeted hardware-wallet holders.

These cases highlight a maturing enforcement posture: blockchain tracing, traditional financial investigation, and conventional policing now combine in crypto cases. They also underscore that custody failures—how keys are stored and who can access them—often matter more than exotic exploits.

Danicjade

Dec 1, 2025

View article →

North Korea is now using banned NVIDIA GPUs to supercharge AI-driven crypto theft. Deepfakes, tracking, and automated attacks mean hacks are scaling fast — November alone saw $172M lost.

crypto.news • Dec 1, 2025

Vulnerabilities, security tooling, and the defensive response

The attack surface keeps expanding as crypto integrates with more software. Security researchers continue to find critical flaws in widely used products—for example, vulnerabilities enabling remote code execution and API-key theft (such as CVE-2025-59536)—that can cascade into asset loss. API access itself is a risk vector: broad platform API permissions, including on social networks, can expose credentials that attackers reuse. New categories of software, such as autonomous AI "agents" that hold credentials or transact on a user's behalf, introduce fresh credential-theft and infrastructure risks that the industry is still learning to secure.

In response, a defensive ecosystem has grown. Anti-detect and isolation frameworks aim to shield Web3 assets from tracking and theft; hardware wallets and multi-signature or multi-party-computation custody reduce single points of failure; and exchanges have hardened vendor and insider controls after incidents like Coinbase's. Even AI developers are treating large-scale misuse as a theft problem—Anthropic, for instance, publicly described efforts to curb illicit "distillation" campaigns that it characterized as capability theft. Regulators are engaging too: a federal official's tour of Wyoming's digital-assets framework, undertaken amid concerns about theft, phishing, and volatility, signals that consumer-protection rules are increasingly part of the conversation.

Practical risk reduction

No single measure eliminates theft risk, but a layered approach meaningfully lowers it:

• Protect keys offline. Use a reputable hardware wallet and never enter a seed phrase into a website, app, or "support" chat. Legitimate services never ask for it.
• Verify before you download. Fake apps appear even in official stores. Confirm the developer, check reviews skeptically, and use links from the project's verified channels.
• Keep devices current. Unpatched phones and computers are prime targets; replace or update hardware that no longer receives security updates.
• Minimize approvals and API exposure. Revoke unused token approvals and limit the scope and lifespan of API keys across exchanges and connected apps.
• Assume data is already leaked. Because breaches expose personal data, treat unsolicited "urgent" contact about your accounts as hostile and verify independently.

For institutions, the lessons of recent incidents point to vendor and insider risk, signing-infrastructure hygiene, and rehearsed incident response—including pre-established lines to exchanges and law enforcement for rapid tracing.

Outlook

Crypto theft is unlikely to recede soon: the irreversibility that makes blockchains useful also makes them attractive to thieves, and well-resourced state actors—North Korea foremost—have industrialized the practice with AI-assisted tooling and human infiltration. The encouraging countertrend is that defenses, tracing capabilities, and law-enforcement coordination are improving in parallel, and an unverified but striking case—suspicions that a dormant ~$8 billion Bitcoin whale wallet may have been compromised—shows how closely the community now scrutinizes anomalous on-chain activity. For the foreseeable future, the practical battleground will be credentials, custody, and the human layer, not the cryptography itself.