North Korean state-linked actors have allegedly siphoned nearly $7 billion from the cryptocurrency sector over the last decade. Recent reports indicate these groups are moving beyond simple digital exploits toward sophisticated social engineering and physical infiltration.

A decade of theft totaling $6.75 billion

Security research firm CertiK reports that the Democratic People’s Republic of Korea (DPRK) has successfully stolen an estimated $6.75 billion through 263 separate incidents between 2016 and early 2026. This massive accumulation of wealth has transformed cryptocurrency hacking from a series of isolated crimes into a fundamental pillar of the North Korean state revenue stream.

The scale of these operations reached a fever pitch in 2025, when North Korean actors were responsible for $2.06 billion in losses, representing 60% of the industry's total $3.4 billion in annual thefts. This trajectory suggests that the DPRK is no longer mereely testing the waters but is actively pursuing large-scale, systemic heists to fund its national interests.

The unprecedented shift to in-person infiltrations

North Korean hacking groups have moved beyond purely digital exploits to engage in sophisticated social engineering and physical infiltration. According to TRM Labs, the $285 million breach of the Drift protocol was facilitated by in-person meetings between North Korean proxies and protocol employees. This "unprecedented" tactic involves actors posing as legitimate IT employees to gain internal access to top decentralized exchanges and platforms.

KelpDAO and the 76% share of 2026 losses

The landscape of North Korean cybercrime is diversifying with the emergence of new, specialized groups. While the notorious Lazarus group was linked to last year's massive $1.5 billion Bybit exploit, a different, unnamed group recently executed the $294 million KelpDAO hack. Additionally, the TraderTraitor actor has been identified as a key player in recent breaches like the Drift incident.

The impact of these groups on the market is staggering. While some reports suggest North Korean actors account for 55% of 2026 year-to-date losses, TRM Labs estimates their actual share of the $1.1 billion stolen so far this year is closer to 76%.

Laundering through Thorchain and Tornado Cash

Once a heist is completed, North Korean actors employ complex laundering techniques to obscure the origin of the stolen funds. The report notes that hackers typically go quiet after a theft before moving assets into Bitcoin and utilizing crypto mixers such as Thorchain or Tornado Cash. They also leverage decentralized exchanges (DEXes) and over-the-counter (OTC) desks to finalize the conversion of stolen assets.

However , several critical questions remain unanswered by current security intelligence. It is still unknown who the specific new group behind the KelpDAO heist is, or how many other "in-person" infiltrations are currently active within the decentralized finance (DeFi) ecosystem. Furthermore, while the U.S. government is considering extending threat intelligence to crypto companies, it remains to be seen if this move will be enough to counter the evolving tactics of the DPRK.