- DPRK threat actors have stolen an estimated $6.75 billion across 263 incidents since 2016.
- In 2025, roughly $2.06 billion in crypto was stolen, 60% of all the funds taken that year.
- Since January 2026, there have been 185 incidents, leading to $1.1 billion in stolen funds.
Blockchain security company CertiK just released a detailed report called ‘Skynet DPRK Crypto Threats Report’, warning that North Korea’s hacking efforts targeting crypto are getting more sophisticated and harder to spot.
The report breaks down how North Korean hackers keep taking advantage of weak spots in crypto through tricks like social engineering, fake job offers, getting insiders to help, spreading malware, and laundering money across different blockchains.
According to CertiK, these operations now represent one of the largest and most persistent security threats the global crypto industry has to deal with.
It’s reported that DPRK threat actors have stolen an estimated $6.75 billion across 263 incidents since 2016. This number is likely higher as well, considering hundreds of smaller, unreported attacks are not included.
In 2025, North Korea‑linked hackers stole roughly $2.06 billion in crypto. This represents 60% of all the funds taken that year, even though they were involved in only 12% of total security incidents.
The same activity has kept going into 2026, as North Korea now accounts for 55% of all crypto losses this year, primarily driven by large-scale hacks like the $291 million KelpDAO attack. Since January 2026, there have been 185 incidents, leading to about $1.1 billion in stolen funds.
The $1.5 billion Bybit hack in February 2025 is the biggest crypto heist ever, while other major breaches like Ronin ($625 million) and Drift ($285 million) show just how much more advanced these operations have become.
In the month following the Bybit hack, over 86% of the stolen ETH had been swapped for Bitcoin, using mixers, bridges, DEXs, and OTC brokers to hide the trail.
Primary Attack Mode
CertiK emphasizes that the biggest hacks usually start by tricking people and not because of bugs in the smart contracts themselves. This includes fake job offers and pretending to be VCs. Planting malicious code is also one of the methods mentioned.
Additionally, DPRK operatives have infiltrated DeFi teams under false identities, enabling theft from within.
Per the report, supply chain attacks are also regularly used, as seen in the Bybit incident. Hackers are getting into high‑security multisig wallets (the kind used by institutions) by breaking into trusted third‑party systems instead of going after the wallets directly.
Related: North Korea’s Crypto Heist Strategy Deepens with KelpDAO HacK
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
