Multiple blockchain intelligence firms have confirmed that North Korean state-linked hacking groups were responsible for approximately 60% of all cryptocurrency stolen in 2025, cementing the Democratic People's Republic of Korea (DPRK) as the single most dangerous actor in the digital asset space. According to reports from CertiK, Chainalysis, and Elliptic, DPRK-affiliated hackers stole at least $2.02 billion out of a total $3.4 billion in global crypto thefts last year. The findings, published in May 2026, reveal a sharp escalation in both the scale and sophistication of nation-state cyber operations, with proceeds widely believed to fund North Korea's nuclear weapons and ballistic missile programs.
Chainalysis’ 2026 Crypto Crime Report estimates that the $2.02 billion figure represents a 51% increase from 2024, pushing the regime’s all-time haul to approximately $6.75 billion across 263 documented incidents since 2016. CertiK’s own analysis, drawn from its Skynet platform, pegs the 2025 loss at $2.06 billion, while Elliptic had already tracked over $2 billion stolen by early October 2025. Despite a decline in the number of individual attacks, the handful of mega-heists drove the record total. The Bybit hack in February 2025, which saw $1.46 billion to $1.5 billion drained in just two transactions, remains the largest single crypto theft in history. U.S. authorities quickly attributed the breach to North Korean actors. Other major incidents linked to the DPRK in 2025 included compromises of LND.fi, WOO X, Seedify, and dozens of smaller services and wallet-draining campaigns.
The operational playbook has evolved significantly. Instead of relying on broad phishing or brute-force smart contract exploits, North Korean operatives increasingly embed IT workers inside exchanges, custodians, and Web3 companies to gain privileged access. Taylor Monahan, author of the CertiK report, identifies social engineering as the dominant attack vector. A striking example is the April 2026 Drift Protocol hack, where DPRK operatives spent six months posing as a quantitative trading firm before stealing approximately $285 million. Once funds are taken, laundering is swift: in one case analyzed by CertiK, 86% of stolen assets were laundered in under a month through decentralized exchanges and cross-chain bridges. CertiK and TRM Labs describe a laundering network dubbed the “Chinese Laundry,” a web of underground bankers, OTC brokers, and money transfer operators. Chainalysis notes that over 60% of stolen funds in 2025 were laundered in tranches below $500,000, a shift from previous million-dollar-plus transactions.
The geopolitical stakes are high. The United Nations and multiple intelligence agencies assess that the stolen crypto directly finances North Korea’s weapons of mass destruction programs, with the 2025 take alone potentially amounting to roughly 13% of the country’s GDP. In response, U.S. authorities have intensified legal action: the Department of Justice filed a civil forfeiture complaint in June 2025 for $7.7 million in crypto tied to laundering networks operated by North Korean IT workers, and court documents revealed that a wallet controlled by Sim Hyon Sop, a representative of North Korea’s Foreign Trade Bank, received over $24 million between August 2021 and March 2023. CertiK and other security firms now urge exchanges, protocols, and wallets to adopt video identity verification, zero-trust hiring policies, and technical reinforcement of bridges and hot wallets as non-negotiable defenses against a systemic, nation-state-level threat.
