North Korea ‘industrialized’ crypto theft, laundered billions: CertiK

CertiK says North Korea-linked hackers stole about 60% of the value lost to crypto hacks in 2025, with proceeds used to help fund the regime’s nuclear and ballistic missile programs, highlighting the country's growing reliance on digital assets to generate hard currency.

The findings, shared with Cointelegraph on Tuesday, come from a new Skynet report that attributes roughly $2.06 billion of an estimated $3.4 billion in 2025 crypto security losses to groups tied to the Democratic People’s Republic of Korea, or DPRK, across 79 of 656 incidents documented that year.

Between 2016 and early 2026, DPRK-linked actors stole an estimated $6.75 billion in cryptocurrency across 263 documented incidents, the report says, citing findings by independent onchain researcher Taylor Monahan.

CertiK’s analysis concludes that North Korea has “industrialized” crypto theft into a core state revenue mechanism, with open-source estimates showing how these operations represent a substantial share of the regime’s external income, as digital asset theft becomes a sustained revenue stream for the country.

Total DPRK crypto theft over the years. Source: CertiK/Skynet

The report also identifies a shift from opportunistic hot wallet compromises to fewer, higher-value operations that target the largest pools of capital.

In 2025, DPRK-linked groups were behind about 60% of the value stolen but only around 12% of total incidents, highlighting what CertiK describes as a focus on “precision and scale.”

Related: Phishing, deepfakes, supply chain attacks to fuel 2026's biggest crypto hacks: CertiK

The single largest incident, the Bybit exploit in February 2025, resulted in about $1.5 billion in losses and is attributed in the report to the TraderTraitor cluster via a supply chain compromise of a third-party signing provider.

In that case, CertiK’s onchain analysis found that about 86% of the stolen Ether was converted into Bitcoin within one month of the hack, using mixing services, cross-chain bridges, decentralized exchanges and over-the-counter brokers.

North Korea’s crypto hacks shift from phishing to physical

CertiK’s Skynet study also details a progression in tactics, showing that social engineering remains the dominant initial attack vector, including fake job offers, investor impersonation and malicious code repositories.

DPRK evolution playbook. Source: CertiK/Skynet

The report attributes the Ronin Bridge exploit in 2022 to a spearphishing campaign involving a fake LinkedIn recruiter and a malware-laden PDF, while Bybit is cited as an example of a supply chain compromise, where attackers manipulated a user interface to route funds to a malicious address without changing the apparent content of transactions.

Related: Web3 hacks cost $482M in Q1 as phishing drove majority of losses: Hacken

The most recent evolution, described by CertiK as “physical infiltration,” is illustrated with the April 2026 Drift Protocol incident, in which about $285 million was drained from a Solana-based platform after a six-month operation involving conference attendance, relationship-building and governance manipulation.

Jonathan Riss, blockchain intelligence analyst at CertiK, told Cointelegraph that DPRK-linked operations now blend intelligence tradecraft with technical exploits, warning that North Korean information technology workers and intermediaries can obtain trusted roles inside Western crypto and fintech firms under false identities.

CertiK’s report, citing United Nations monitors and United States intelligence assessments, notes that revenue from these crypto thefts is confirmed to support North Korea’s nuclear and ballistic missile programs, elevating the issue from a cybersecurity concern to one of international security, according to those cited assessments.

Asia Express: North Korea denies crypto hacks, Upbit’s bank tests Ripple