DOWNLOAD the full report here!
North Korea has transformed cryptocurrency theft into a core state revenue mechanism, operating at a scale and level of coordination unmatched in the digital asset ecosystem. Our report analyzes nearly a decade of activity, finding that DPRK-linked actors have stolen an estimated $6.75 billion across 263 incidents between 2016 and early 2026. This figure likely understates the true scope, as hundreds of smaller attacks targeting individuals and early-stage projects remain underreported.
The data shows a clear pattern: fewer attacks, but disproportionately high impact. In 2025, DPRK-linked actors were responsible for $2.06 billion in losses, approximately 60% of all stolen value, despite accounting for only 12% of total incidents.
This trend has continued into 2026, where DPRK activity represents 55% of global losses year-to-date, driven by large-scale exploits such as the $291 million KelpDAO attack. The trajectory points to increasingly sophisticated operations, a highly efficient laundering pipeline, and a consistent reliance on human and supply chain vulnerabilities rather than smart contract flaws.
Key Insights
- DPRK operations dominate global losses: Between 2016 and early 2026, DPRK-linked actors stole an estimated $6.75 billion across 263 incidents, with many smaller attacks likely uncounted.
- High impact, low frequency strategy: In 2025, DPRK actors carried out 79 of 656 total incidents (12%) but accounted for $2.06 billion (60%) of the $3.4 billion in total losses.
- Mega-hacks are increasing in scale: The $1.5 billion Bybit exploit (February 2025) is the largest crypto theft in history, while major incidents like Ronin (285M) demonstrate a clear escalation in operational sophistication.
- 2026 losses remain heavily concentrated: From January 2026 onward, 185 incidents resulted in around $1.1 billion in losses, with ~291 million KelpDAO exploit.
- Social engineering is the primary attack vector: Most major DPRK operations begin with human manipulation, including fake job offers, VC impersonation, and malicious repositories.
- Supply chain attacks are a defining tactic: The Bybit incident showed that even institutional-grade multisig wallets can be compromised by targeting trusted third-party infrastructure rather than smart contracts.
- Laundering infrastructure operates at industrial scale: Within one month of the Bybit hack, 86.29% of stolen ETH was converted to Bitcoin, using mixers, bridges, DEXs, and OTC brokers.
- Insider threats are expanding through IT worker infiltration: DPRK operatives have infiltrated DeFi teams under false identities, in some cases directly enabling the theft of funds from within.
Read our full report for more information about DPRK hacking trends and what you can do to protect your crypto.
FAQ
How much cryptocurrency has North Korea stolen to date?
DPRK-linked actors have stolen an estimated $6.75 billion across 263 incidents between 2016 and early 2026, with additional smaller attacks likely unreported.
Why do DPRK attacks account for such a large share of losses?
Their strategy focuses on high-value targets. While they represent a smaller share of total incidents, they consistently execute the largest and most impactful attacks.
What is the most common attack method used by DPRK actors?
Social engineering. Most major exploits begin with human manipulation, such as fake job offers, phishing, or compromised developer environments.
How do DPRK actors launder stolen funds?
They use a multi-step pipeline involving mixers, cross-chain bridges, decentralized exchanges, and OTC brokers. For example, 86.29% of stolen ETH from the Bybit hack was converted to Bitcoin within one month.
What are the broader implications of these thefts?
Cryptocurrency theft is not isolated financial crime. Intelligence assessments indicate that these funds are used to support North Korea’s nuclear and ballistic missile programs.
