North Korea’s Crypto Theft Becomes an Industrial-Scale Threat
North Korea-linked hackers have turned cryptocurrency theft into one of the most organized and dangerous threats facing the digital asset industry, according to new blockchain security research.
A May 2026 threat report from CertiK says North Korea-linked actors have stolen an estimated $6.75 billion across 263 crypto incidents between 2016 and early 2026. The firm said the true figure is likely higher because many smaller attacks against individuals and early-stage crypto projects go unreported.
The report paints a picture of crypto theft that has moved far beyond opportunistic hacking. North Korean cyber units are now described as running high-value, low-frequency operations that combine social engineering, insider infiltration, supply-chain compromise and fast-moving laundering networks.
North Korea Accounts for a Disproportionate Share of Crypto Losses
The most striking part of the new data is not just the size of the losses, but the concentration. CertiK says North Korea-linked actors were responsible for $2.06 billion in losses in 2025, equal to around 60% of all stolen crypto value that year, despite accounting for only 12% of total incidents.
That pattern suggests a mature cybercrime strategy. Instead of launching thousands of small attacks, DPRK-linked groups appear to focus on fewer targets with larger potential payouts. Major exchanges, bridges, DeFi protocols, wallet providers and infrastructure companies are especially attractive because one successful compromise can unlock hundreds of millions of dollars.
Chainalysis reached a similar conclusion in its 2025 crypto theft analysis, reporting that North Korean hackers stole $2.02 billion in cryptocurrency in 2025, a 51% increase from 2024. The firm also noted that DPRK actors were achieving larger thefts with fewer incidents, often through IT worker infiltration and executive impersonation tactics.
The Bybit Hack Became a Turning Point
The most visible example remains the February 2025 Bybit hack. The FBI publicly attributed the theft of approximately $1.5 billion in virtual assets from the exchange to North Korea and identified the activity as “TraderTraitor.” The agency said the stolen assets were quickly converted into Bitcoin and other virtual assets, then dispersed across thousands of addresses on multiple blockchains.
CertiK’s report says the Bybit incident showed how even institutional-grade multisig wallet systems can be compromised when attackers target trusted third-party infrastructure instead of exploiting smart contract code directly. The firm added that 86.29% of the stolen ETH from the Bybit hack was converted to Bitcoin within one month through mixers, bridges, decentralized exchanges and over-the-counter brokers.
That speed matters. In major crypto thefts, the first hours and days are critical. Once stolen assets move across chains, pass through mixers, enter decentralized exchanges or reach loosely regulated brokers, recovery becomes far more difficult.
Social Engineering Is Now the Main Attack Vector
The stereotype of a crypto hack is often a coding flaw buried inside a smart contract. That still happens, but the North Korea threat looks different.
CertiK says most major DPRK-linked operations begin with human manipulation. Common tactics include fake job offers, venture capital impersonation, phishing, malicious code repositories and compromised developer environments.
This is a major warning for crypto companies. A project can audit its smart contracts and still lose funds if an employee signs a malicious transaction, downloads infected software, accepts a fake business meeting or unknowingly hires a North Korean IT worker using a false identity.
CSIS has described North Korea’s crypto theft and laundering model as distinctive because it is carried out by state-directed criminal networks, often enabled by overseas IT workers. Those workers can help gain access to companies, implant malicious code or support laundering operations after a theft.
2026 Shows the Threat Is Still Growing
The problem has not slowed in 2026. CertiK says DPRK-linked activity represented 55% of global crypto losses year-to-date, driven by large-scale exploits including the KelpDAO attack.
TRM Labs reported an even sharper concentration through April 2026, estimating that North Korean hackers stole about $577 million in just two major crypto attacks, accounting for 76% of all crypto hack losses through that point in the year. TRM identified the Drift Protocol and KelpDAO incidents as the main drivers of those losses.
The firm also said North Korea’s share of total crypto hack losses has risen dramatically over time, from under 10% in 2020 and 2021 to 64% in 2025 and 76% through April 2026.
That acceleration makes the issue more than a crypto industry problem. It is now a sanctions, national security and financial crime issue.
Stolen Crypto Is Linked to Weapons Financing
U.S. authorities have repeatedly linked North Korean cyber theft to the regime’s weapons programs. The U.S. Treasury Department has said the Lazarus Group and related DPRK cyber actors use illicit tactics, including digital asset heists, to generate revenue for North Korea’s unlawful weapons of mass destruction and ballistic missile programs.
The Treasury Department has also targeted mixers and financial facilitators used in DPRK laundering networks. In one action, it sanctioned Sinbad, calling it a preferred mixing service for the Lazarus Group and saying it was used to launder stolen virtual currency from major crypto thefts including Atomic Wallet, Axie Infinity and Horizon Bridge.
The Associated Press reported in 2025 that U.S. sanctions targeted North Korean bankers, financial institutions and others accused of laundering money from cybercrime schemes, with Treasury saying North Korean malware and social engineering schemes had diverted more than $3 billion, mostly in digital assets, over three years.
Crypto Laundering Has Become More Professional
The laundering process has become almost as important as the theft itself. After major hacks, stolen funds are often split across many wallets, bridged to other blockchains, swapped through decentralized exchanges and routed through mixers or over-the-counter brokers.
CertiK describes the laundering infrastructure as operating at industrial scale. TRM has also highlighted the role of cross-chain tools such as THORChain in moving stolen assets, especially when attackers want to convert stolen ETH into Bitcoin.
This creates a difficult challenge for exchanges, DeFi protocols and law enforcement. Public blockchains are transparent, which allows investigators to follow funds. But when stolen assets move quickly across chains and through services that resist freezing or compliance requests, tracing does not always lead to recovery.
What Crypto Companies Need to Change
The latest findings suggest that crypto security can no longer focus only on smart contract audits. Audits still matter, but North Korea-linked attackers often go after people, workflows and trusted vendors.
Crypto companies need stronger employee screening, deeper vendor due diligence, strict transaction approval controls and better monitoring for fake candidates or remote workers using fabricated identities. Teams also need to train staff to recognize job-offer malware, fake investor outreach, malicious GitHub repositories and social engineering attempts aimed at developers or executives.
The FBI has urged exchanges, bridges, blockchain analytics firms, DeFi services and other virtual asset providers to block transactions connected to North Korean laundering addresses.
A Defining Security Test for Web3
North Korea’s crypto theft campaign shows how valuable digital assets have become. Crypto is liquid, global, fast-moving and often easier to launder than traditional bank funds. Those same features that make blockchain useful for open finance also make it attractive to state-backed cyber actors.
The industry’s response will define the next phase of Web3 security. Better code is not enough. Crypto firms now need bank-grade compliance, intelligence sharing, operational security and rapid-response systems that can freeze or flag stolen funds before they disappear.
The message from the latest research is clear: North Korea’s crypto theft operation is no longer a series of isolated hacks. It is an industrial-scale financial machine, and the digital asset industry is one of its main targets.