State-sponsored cyber actors from North Korea were responsible for over $2 billion in crypto-related losses in 2025, a 51% increase year-over-year, even as the number of attacks dropped. New reports from CertiK and CrowdStrike reveal a structural shift toward fewer but more efficient breaches targeting high-value centralized exchanges and Web3 protocols.
According to CertiK’s Skynet DPRK Crypto Threats Report, North Korean hackers have stolen an estimated $6.75 billion across 263 incidents since 2016. In 2025 alone, roughly $2.06 billion was taken—roughly 60% of all crypto stolen that year. In the first months of 2026, 185 incidents have already resulted in $1.1 billion in losses, underscoring the persistent and escalating nature of the threat.
CrowdStrike’s 2026 Financial Services Threat Landscape Report highlights that the financial services sector, including crypto, is now the 4th most targeted globally. Their data shows that DPRK-linked groups increasingly rely on social engineering, fake job offers, and insider recruitment to infiltrate developer environments and internal systems. Once inside, they deploy malware and rapidly move stolen funds across blockchains, exploiting cross-chain bridges and mixing services to evade tracking.
The Ethereum Foundation has separately identified networks of North Korea-affiliated individuals embedded in Web3 hiring pipelines, raising alarms about credential misuse and long-term access risks. One case involved a compromise at Drift Protocol tied to remote onboarding, tracked by onchain investigator ZachXBT. These infiltration techniques continue to evolve as attackers adapt to hiring and outsourcing workflows across the digital asset sector.
CertiK warns that these operations now represent one of the largest and most persistent security threats the global crypto industry faces, with state-backed groups refining their tactics and improving resilience through distributed contractor networks.
