North Korean state-sponsored hackers, primarily linked to the Lazarus Group, have significantly evolved their attack strategies, shifting from infiltrating existing platforms to creating and launching their own fraudulent cryptocurrency projects. This new approach marks a dangerous escalation in their ongoing campaign against the crypto ecosystem, which continues unabated despite market conditions.
Blockchain intelligence firm Elliptic detailed this tactical shift in a recent report, noting that the hackers are now exploiting the permissionless nature of Web3 tools to build malicious applications, meme tokens, and copycat sites designed to directly target end-users. "The main difference is that DPRK hackers now go beyond just getting into IT and crypto projects and make their own platforms," the report stated. The strategy heavily relies on social engineering and human error, using deceptive links and fake setups to trick victims into connecting wallets or granting access.
The Tenexium incident on January 1, 2026, serves as a prime example of this new method. Tenexium was launched as a seemingly neutral trading protocol on the Bittensor (TAO) network. It attracted user liquidity before its website suddenly vanished, leading to suspicious outflows of $2.5 million. Elliptic believes the project may have been founded by a North Korean IT professional posing as the project lead, making it the first confirmed DPRK-linked hack of 2026.
This evolution follows the record-breaking Bybit hack in February 2025, which Elliptic describes as an inflection point for DPRK operations. Hackers laundered over $1 billion of the stolen funds within just six months using novel techniques, including strategic refund addresses, the creation of worthless tokens, and diversified use of mixing services. This laundering toolkit fundamentally changed their capabilities.
DPRK hacking activity has not slowed since. Elliptic tallied $2 billion in proven DPRK hacks for 2025, with total potential losses, including undisclosed incidents, possibly exceeding $6 billion. The pace has intensified in 2026, with the number of exploits in January doubling compared to January 2025. These stolen funds are widely believed to finance North Korea's nuclear weapons and missile programs, providing a powerful motive for the continued attacks.
Elliptic warns that smaller DeFi projects, vaults, and permissionless copycat applications remain particularly vulnerable. The firm advises users to mitigate risk by thoroughly vetting project teams, sticking to established DeFi platforms, and maintaining skepticism toward new or minor initiatives.
