NEW YORK, May 13, 2026 (GLOBE NEWSWIRE) -- CertiK today released its latest report analyzing North Korea's role in cryptocurrency-related cybercrime, revealing that DPRK-linked threat actors have stolen an estimated $6.75 billion across 263 incidents between 2016 and early 2026. The findings highlight the evolution of state-sponsored cyber operations into a sustained, industrial-scale revenue stream.

The report underscores a structural shift in the threat landscape: fewer attacks, but significantly higher impact, with North Korea consistently responsible for the largest and most sophisticated exploits in the digital asset ecosystem.

A Disproportionate Share of Global Losses

According to the report, the broader crypto ecosystem recorded 656 security incidents in 2025, resulting in $3.4 billion in total losses. Of these, 79 incidents (12%) were attributed to DPRK-linked actors, yet they accounted for $2.06 billion, or approximately 60% of all funds stolen. This imbalance reflects a deliberate strategy focused on high-value targets, rather than volume.

The report also highlights a series of increasingly large exploits, culminating in the $1.5 billion Bybit hack in February 2025, the largest cryptocurrency theft on record. Additional case studies, including the $625 million Ronin Bridge exploit (2022) and the $285 million Drift Protocol attack, illustrate a steady escalation in technical sophistication and financial impact.

The trend has continued into 2026. From January onward, 185 incidents resulted in approximately $1.1 billion in total losses, with $620.9 million (55%) attributed to DPRK actors. A significant portion of this figure stems from the $291 million KelpDAO exploit, further reinforcing the concentration of losses among a small number of high-value attacks.

Human Vulnerabilities, Not Code, Remain the Primary Target

A key finding of the report is that DPRK-linked attacks rarely rely on exploiting smart contract vulnerabilities. Instead, they consistently target human and operational weaknesses.

Social engineering remains the dominant entry point, including fake job offers, impersonation of venture capital firms, and compromised developer environments. In parallel, supply chain attacks have emerged as a defining tactic. The Bybit incident demonstrated that even institutional-grade multisignature wallets can be compromised by targeting trusted third-party infrastructure rather than the underlying code.

Laundering Infrastructure Operates at Industrial Scale

Beyond initial compromise, DPRK-linked actors have developed a highly efficient laundering pipeline. Within one month of the Bybit exploit, 86.29% of stolen ETH had been converted into Bitcoin, using a combination of mixing services, cross-chain bridges, decentralized exchanges, and over-the-counter (OTC) brokers.

This level of coordination points to a mature, systematized process designed to rapidly obfuscate and redistribute stolen assets.

Expanding Threat Surface Through Insider Infiltration

CertiK's report identifies a growing risk from insider threats. DPRK operatives have infiltrated DeFi projects under false identities, securing employment within target organizations. In several documented cases, these individuals have facilitated or enabled attacks from within, providing intelligence or direct access to critical systems.

National Security Implications

The findings reinforce that cryptocurrency theft linked to the DPRK extends beyond financial crime. According to international monitoring bodies and intelligence assessments, proceeds from these operations are used to support North Korea's nuclear and ballistic missile programs.

Full report: https://indd.adobe.com/view/595e40e3-3953-4d4b-aeaa-3e9954d5d844

Tags：