In brief
- North Korea-linked hackers were responsible for 60% of all crypto theft losses in 2025, totaling $2.06 billion in attributed losses, according to CertiK.
- State-sponsored groups have evolved from opportunistic exploits to coordinated campaigns targeting DeFi protocols.
- Over 86% of stolen funds in one major case was laundered within a month through DEXs and cross-chain bridges.
North Korean hackers have stolen $6.75 billion in cryptocurrency across 263 incidents since 2016, establishing state-sponsored theft as the dominant threat to decentralized finance, according to a new report by blockchain security firm CertiK.
The Web3 security firm’s Skynet analysis documents how DPRK-linked groups have transformed from opportunistic attackers into the primary force in crypto crime, responsible for some 60% of all theft losses in 2025 alone, amounting to $2.06 billion.
This dominance extends into 2026, with North Korean hackers accounting for 55% of global crypto losses since the start of the year.
Social engineering is the “dominant attack vector,” according to the report’s author Taylor Monahan, following incidents such as April’s $285 million Drift Protocol hack, in which DPRK hackers spent six months infiltrating the DeFi platform by posing as a quantitative trading firm.
Perhaps most concerning is the speed at which stolen funds disappear, with North Korean hackers leveraging a “large-scale laundering infrastructure” including decentralized exchanges and cross-chain bridges to rapidly obscure the money trail. In one major case, CertiK noted, 86% of funds were laundered within just one month.
The findings paint a picture of North Korea’s crypto theft evolving into a “primary state revenue mechanism,” systematically draining billions from the crypto ecosystem while staying ahead of law enforcement efforts.
The report’s timing underscores the ongoing threat, arriving as DPRK hackers maintain their relentless assault on crypto infrastructure. April’s Drift Protocol attack marked 2026’s largest DeFi hack, but even the $285 million stolen in that incident pales beside 2025’s record-breaking Bybit breach, where hackers extracted $1.46 billion in just two transactions on February 21. Blockchain security firms report over $1 billion of the Bybit funds have since been laundered through the same cross-chain infrastructure detailed in CertiK’s findings.
Security experts describe North Korea’s crypto operations as unprecedented in scope and sophistication, with blockchain analysis firm TRM Labs characterizing the threat as an “industrial-scale” threat leveraging “cyber activity, intelligence support, illicit finance infrastructure, and partnerships with overseas facilitators.”
The regime’s laundering network—dubbed the “Chinese Laundromat” by researchers—comprises underground bankers, OTC brokers, money transmitters, and trade-based laundering intermediaries.
U.S. authorities have intensified efforts to disrupt these operations through targeted asset seizures. The Department of Justice filed a civil forfeiture complaint last June targeting $7.7 million in cryptocurrency tied to North Korean IT worker laundering networks. Court documents revealed one wallet controlled by Sim Hyon Sop, a representative of North Korea’s sanctioned Foreign Trade Bank, received more than $24 million in cryptocurrency between August 2021 and March 2023.
Meanwhile, security firms are racing to develop tools and techniques to counter the sophistication of cross-chain laundering techniques, with CertiK recommending that at-risk firms adopt rigorous ID verification including video interviews, zero-trust hiring policies and “technical hardening” of DeFi infrastructure such as bridges and hot wallets.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.