North Korean hacker groups have transformed cryptocurrency theft into a large-scale state operation, complete with their own money laundering infrastructure and a network of IT agents, according to analysts at CertiK.

DPRK-linked actors have stolen an estimated $6.75B across 263 crypto incidents since 2016.

In 2025 alone, they accounted for 60% of all stolen value despite just 12% of incidents.

Read our full Skynet DPRK Crypto Threats Report below šŸ‘‡https://t.co/06QCTVvi0E

ā€” CertiK (@CertiK) May 12, 2026
 

Researchers estimate that from 2017 to early 2026, North Korean entities stole over $6.7 billion in digital assets across 263 incidents. The actual losses are likely underestimated, as they do not account for "hundreds of minor attacks" on individuals and projects during the early years of the crypto industry.

In 2025 alone, North Korean-backed entities caused $2.06 billion in damage to the industry, representing approximately 60% of the total despite only accounting for 12% of incidents.

Damage to the crypto industry from hacks and the share of North Korean hackers over the years. Source: CertiK.

Tactical Changes

CertiK noted that North Korean groups have shifted from "chaotic attacks" to more professional operations with clear role divisions. Some units focus on social engineering, while others compromise infrastructure. Money laundering is also handled by specialized personnel.

Analysts identified periods during which hackers concentrated on specific attack vectors:

  1. Hot wallets of exchanges (2017-2019) ā€” insufficient security measures made these easy targets (cases include Bithumb, Coincheck, and others).
  2. DeFi protocols and cross-chain bridges (2020-2023) ā€” became relatively accessible as centralized platforms enhanced their cybersecurity. Examples include Ronin Bridge and Harmony Horizon.
  3. Supply chains (2024-2026) ā€” instead of directly attacking exchanges, criminals shifted to compromising third-party infrastructure providers. A notable case involved the theft of $1.5 billion from Bybit through a hack of a product from Safe.
  4. Physical infiltration (from 2025) ā€” attacks began to combine social engineering methods, embedding IT agents in crypto companies, and posing as fake venture investors to contact projects. An example is the Drift Protocol hack, which resulted in a $280 million loss.

Evolution of cyberattack focus by North Korean hackers. Source: CertiK.

Asset Laundering

Following the major $1.5 billion hack of Bybit, attributed to the Lazarus group, approximately 86% of the stolen funds in Ethereum were converted to Bitcoin in less than a month.

To cover their tracks, they employed:

  • rapid asset transfers between different blockchains (chain hopping);
  • cross-chain bridges;
  • crypto mixers;
  • over-the-counter brokers;
  • underground banking networks in Asia.

Analysts emphasized that the money laundering infrastructure for hackers has become "as important as the attacks themselves."

The "Army of IT Workers"

Researchers have linked a separate threat to North Korean IT specialists who pose as remote employees to gain employment in Western companies.

These agents can:

  • gain access to internal systems;
  • participate in code development;
  • embed malicious components;
  • collect data for future attacks.

In some cases, AI tools and deepfake technologies were used to pass interviews.

It is worth noting that the North Korean Foreign Ministry denied allegations of the country's involvement in cryptocurrency thefts, calling such claims "absurd slander" and a "political tool" of the U.S.