There is no other threat in crypto quite like it. A nation-state, cut off from the global financial system, has turned cryptocurrency theft into a core instrument of statecraft — funding weapons programs with stolen digital assets and getting better at it every year.
The numbers in 2026 are no longer shocking only for their size. They’re shocking for their share. North Korea isn’t one crypto threat among many. For stretches of this year, it has been the overwhelming majority of the problem.
The Scale
DPRK-linked actors stole approximately $2.02 billion in crypto in 2025 — a roughly 51% year-over-year increase — pushing their all-time cumulative theft to about $6.75 billion. That is not a rounding error in some global total; it is a sovereign-scale treasury built almost entirely from other people’s coins.
And 2026 has been worse in concentration. North Korean hackers accounted for roughly 76% of all crypto hack value through April 2026. When three out of every four stolen dollars trace back to a single state actor, “crypto security” and “countering North Korea” have become nearly the same problem.
The Heists That Define the Era
Two attacks anchor the recent record.
The February 2025 Bybit theft — approximately $1.5 billion in Ethereum, the largest single cryptocurrency theft in history — was attributed by the FBI to the Lazarus cluster it tracks as TraderTraitor. It set a grim new ceiling for what a single operation could extract.
In April 2026, the ~$292 million KelpDAO exploit was attributed to the same North Korean group. Different target, different chain, same fingerprints — a demonstration that the operation behind Bybit is not a one-time event but an ongoing, industrial capability.
What links these isn’t a single clever exploit. It’s patience, resources, and a willingness to play a long game against human targets.
The Infiltration Model: From Job Seekers to Fake Recruiters
The most insidious evolution in North Korea’s playbook is how it gets inside its targets.
What began as DPRK operatives applying for remote jobs at crypto firms has matured into something more aggressive: orchestrating fake hiring processes and posing as recruiters for prominent companies. Instead of waiting to be hired, operatives now run the trap from the other side — luring developers and employees into fraudulent interview pipelines designed to deliver malware, harvest credentials, or establish a foothold.
This is social engineering as a national program. It’s why so many of 2026’s largest losses trace back not to broken smart contracts but to compromised people and keys. A patient adversary that can place or manipulate an insider doesn’t need a zero-day; it needs an opening, and a fake job offer is a remarkably effective one.
Laundering That Survives Every Sanction
Stealing the funds is only half the operation. Moving them is where North Korea has shown unnerving resilience.
After the U.S. sanctioned the mixer Tornado Cash and the service Sinbad.io, DPRK operators didn’t stop laundering — they rerouted. Flows shifted toward cross-chain bridges, primarily THORChain, and exchange-adjacent services such as eXch. Each round of sanctions removes a tool; each time, the laundering infrastructure adapts and continues. It has proven durable across multiple successive rounds of enforcement.
This is the cat-and-mouse dynamic at the heart of crypto sanctions: the rails are global, permissionless, and quick to substitute. Cut off one path and the value finds another.
The Sanctions Response
Governments are pushing back, and the response is broadening beyond the United States.
On March 12, 2026, OFAC designated new targets tied to North Korea’s IT-worker program — directly attacking the infiltration pipeline that feeds so many breaches. By naming the people and entities behind the fake-recruiter operations, the U.S. aims to raise the cost and friction of the model itself.
Australia has also imposed sweeping sanctions on several North Korean hacking units accused of stealing billions in crypto to fund Pyongyang’s weapons programs, targeting cybercrime units linked to North Korea’s Reconnaissance General Bureau (RGB) — including the Lazarus Group. The widening circle of sanctioning nations signals that DPRK crypto theft is increasingly treated as a shared international security problem, not a niche cybercrime issue.
What Firms Should Do
If the dominant crypto threat enters through people, then the defense has to start there too.
- Harden your hiring pipeline. Verify recruiters and candidates rigorously. Be suspicious of unsolicited “interviews” that push downloads, test files, or screen-sharing of sensitive environments. The fake-recruiter trap depends on normal hiring trust.
- Treat insider and supply-chain risk as first-class. Assume a sophisticated adversary may try to place or compromise someone with access. Limit blast radius with least-privilege access, segregation of duties, and strong controls around anything that can move funds or deploy code.
- Lock down keys. Hardware-backed key management, genuinely independent multisig, and out-of-band verification for high-value actions are the controls that turn a single compromise into a contained incident rather than a nine-figure loss.
- Screen and monitor flows. Sanctions screening and on-chain monitoring won’t stop a theft, but they raise the cost of laundering and improve the odds of recovery and attribution.
The Takeaway
North Korea has built the most effective state-run crypto-theft operation in the world — roughly $6.75 billion cumulatively, $2.02 billion in 2025 alone, and the source of the large majority of 2026’s stolen value. It steals through people, launders through whatever rail remains open, and adapts faster than any single sanction can close the gap.
The sanctions response from OFAC and now Australia is real and intensifying, but enforcement is chasing a moving target. For the industry, the practical message is unambiguous: the biggest threat in crypto is patient, well-funded, and aimed squarely at your hiring inbox and your private keys. Defend accordingly.
