• Home
• North Korea Linked to $6.75B in Crypto Thefts Over Ten Years

North Korea Linked to $6.75B in Crypto Thefts Over Ten Years

North Korean Hackers Stole $6.75 Billion in Crypto Over Ten Years – Security Firms Link Activity to State Revenue

Key Takeaways

• North Korean actors have stolen an estimated $6.75 billion in crypto across 263 incidents between 2016 and early 2026, according to CertiK.
• In 2025 alone, $2.06 billion in losses were attributed to North Korea, representing 60% of the sector’s $3.4 billion in total losses.
• So far in 2026, $620 million of the $1.1 billion in stolen funds have been linked to North Korean groups.
• Major incidents include the $1.5 billion Bybit exploit in 2025 and the $294 million KelpDAO hack in 2026.

CertiK: Crypto Hacks Integrated Into North Korea’s Revenue Mechanism

Security research firm CertiK reports that North Korea has incorporated cryptocurrency theft into its state revenue structure. The firm analyzed nearly a decade of activity and identified 263 incidents between 2016 and early 2026 that it attributes to actors linked to the Democratic People’s Republic of Korea.

According to CertiK, these operations generated an estimated $6.75 billion over the ten year period. The data shows a sustained and organized pattern rather than isolated attacks. CertiK describes North Korea as the largest single source of crypto related losses in the industry.

The figures for recent years underline that concentration. In 2025, North Korean actors were responsible for $2.06 billion in losses. Total losses across the crypto sector that year reached $3.4 billion, meaning roughly 60% of all recorded losses were linked to North Korea.

In 2026, the trend has continued. CertiK reports that $620 million of the $1.1 billion in stolen funds so far this year can be attributed to North Korean groups. That represents 55% of total year to date losses.

Major Incidents: Bybit, KelpDAO and Drift

The scale of individual attacks has increased. In 2025, the largest single incident was the $1.5 billion exploit of Bybit. That attack was linked to the Lazarus group, a well known North Korean hacking organization.

In 2026, the largest reported incident so far is the $294 million KelpDAO hack. According to TRM Labs, this operation was carried out by a new North Korean group that is separate from Lazarus. The emergence of additional groups suggests a diversification of operational units rather than reliance on a single entity.

Another major case involved Drift, which suffered a $285 million breach. TRM Labs stated that the incident followed in person meetings between North Korean proxies and employees of the protocol. The firm described this method as unprecedented in the country’s crypto hacking campaign. Drift was breached by a group known as TraderTraitor, also linked to North Korea.

These cases illustrate that both centralized platforms and decentralized protocols remain targets. For users of exchanges, DeFi platforms, and crypto enabled betting services, such incidents can affect liquidity, withdrawals, and operational stability.

TRM Labs: North Korea’s Share of 2026 Losses Potentially Higher

While CertiK places North Korea’s share of 2026 year to date losses at 55%, TRM Labs estimates the proportion may be significantly higher. According to TRM Labs, North Korean actors account for approximately 76% of total losses so far in 2026.

The difference in estimates reflects varying methodologies, but both firms agree on the dominant role of North Korean groups in current crypto crime statistics. For market participants, this concentration means that a limited number of state linked actors are responsible for the majority of high value breaches.

Tactics: Infiltration and Structured Laundering

Security firms report that North Korean actors have adapted their methods. In some cases, they have posed as IT employees to gain internal access to decentralized exchanges and platforms. This insider approach allows attackers to bypass certain external security layers.

After executing a hack, the groups typically pause before beginning laundering operations. Funds are often converted into Bitcoin and moved through crypto mixers such as Thorchain or Tornado Cash. They also use decentralized exchanges and over the counter desks to obscure transaction trails.

This multi step laundering process complicates recovery efforts and increases the time needed for forensic tracing. For platforms handling large volumes of crypto transactions, monitoring cross chain movements and mixer activity has become a central part of risk management.

Regulatory and Monitoring Responses

The scale of losses has prompted efforts to strengthen early threat detection across blockchains. Security companies are expanding monitoring systems designed to identify suspicious wallet behavior before funds are fully laundered.

According to the report, the United States government is considering extending threat intelligence that is currently shared with financial institutions to crypto companies. Such a move would formally integrate parts of the crypto industry into existing national security information frameworks.

For operators in crypto betting, online casinos, and other iGaming services that rely on digital assets, expanded intelligence sharing could affect compliance procedures and reporting standards. Platforms may face additional expectations regarding wallet screening and transaction monitoring.

Our Assessment

The data from CertiK and TRM Labs shows that North Korean linked actors have accounted for a majority of global crypto thefts in recent years, with $6.75 billion stolen over a decade and a dominant share of losses in both 2025 and 2026. The combination of large scale exchange breaches, DeFi exploits, and evolving infiltration tactics highlights a sustained and organized campaign. For users and operators across the crypto ecosystem, including betting and iGaming platforms, the figures underscore the concentration of risk in a small number of state linked threat actors and the growing role of coordinated monitoring and intelligence sharing.