North Korea-linked hackers stole $2.06 billion in cryptocurrency during 2025, accounting for 60% of total crypto losses that year, according to CertiK’s Skynet report released May 12, 2026. The theft represents a sharp escalation in both sophistication and scale. DPRK-linked operations now blend intelligence tradecraft with technical exploits, moving beyond phishing to physical infiltration and insider placement tactics designed to fund the regime’s nuclear and ballistic missile programs.
Evolution From Phishing to Insider Placement
CertiK’s analysis documents a clear tactical shift in North Korean crypto theft operations. Initial vectors relied on opportunistic hot wallet compromises, fake job offers, investor impersonation, and spearphishing with malware-laden PDFs. The Ronin Bridge exploit in 2022, executed via spearphishing, exemplified this phase. Recent tactics have grown more surgical: DPRK operatives now attend industry conferences, build relationships with targets, and manipulate governance structures. Jonathan Riss, CertiK blockchain intelligence analyst, warned that “DPRK-linked operations now blend intelligence tradecraft with technical exploits,” noting that North Korean information technology workers and intermediaries obtain trusted roles inside Western crypto and fintech firms under false identities. Physical infiltration now complements digital attacks, marking a fundamental shift in operational methodology.
2025 Losses and High-Value Targets
In 2025 alone, DPRK-linked actors conducted 79 of 656 documented crypto theft incidents but captured disproportionate value. The $2.06 billion represented 60% of the $3.4 billion in total crypto losses that year, despite accounting for just 12% of incident count. The Bybit exchange exploit in February 2025 yielded $1.5 billion, while the April 2026 Drift Protocol drain extracted $285 million over a six-month operation. Analysis showed 86% of stolen Ether was converted to Bitcoin within one month, suggesting rapid laundering protocols. Since 2016, DPRK-linked actors have accumulated $6.75 billion across 263 documented incidents, establishing crypto theft as a core state revenue mechanism.
Geopolitical Implications and Attribution
The shift from cybercriminal activity to state-sponsored industrial theft elevates the issue beyond cybersecurity into international security territory. United Nations monitors and United States intelligence assessments confirm stolen proceeds directly fund North Korea’s nuclear and ballistic missile programs. The TraderTraitor cluster, identified as DPRK-linked, demonstrates precision and scale in targeting high-liquidity protocols and exchanges. This represents a departure from isolated heists toward systematic wealth extraction. CertiK’s framing of operations as “industrialized” reflects institutional integration of crypto theft into state finance, comparable to sanctions evasion networks but with direct technical execution rather than intermediaries.
What Comes Next
The report identifies insider placement and physical infiltration as the current operational frontier, but does not detail the specific laundering pathways, mixing services, or OTC brokers utilized. Neither Bybit, Ronin, nor Drift Protocol have publicly commented on the report’s accuracy. The persistence of these operations despite public attribution suggests limited friction from existing enforcement mechanisms, raising questions about whether targeted sanctions or protocol-level defenses can meaningfully disrupt DPRK-linked theft at scale.
