G7 leaders at the Evian summit called on member nations to coordinate action against North Korean cryptocurrency theft and cybercrime. The 2026 statement goes further than last year's: alongside DPRK crypto theft, it now covers broader cybercriminal activity. Per Chainalysis, Pyongyang-linked hackers stole at least $2 billion in Bitcoin and other assets in 2025, bringing their all-time total to $6.75 billion.
What Was Agreed at Evian
The 2026 G7 summit took place in Evian-les-Bains, France. Leaders of the seven major economies adopted a joint statement expressing "deep concern" over North Korea's nuclear and ballistic missile programs. The UN and independent security researchers have documented for years how DPRK cyber operations feed directly into those programs through stolen crypto assets.
A year ago, at the Canadian summit, the G7 chair already called for members to jointly address "DPRK cryptocurrency thefts fueling" nuclear and missile programs. This year the call is broader, covering cybercrime at large. The statement still stops short of specifying any concrete measures. There is no mention of enhanced transaction screening at exchange level, no sanctions against mixer services used by DPRK to launder stolen funds, and no framework for government-to-government data sharing. G7 named the problem publicly but left the "how" unanswered.
Scale of the Threat: Chainalysis and CrowdStrike Data
Chainalysis found that DPRK-linked hackers stole at least $2 billion in crypto during 2025. The number of confirmed attacks actually fell compared to prior years: the group shifted toward fewer, larger strikes. The total stolen from 2016 through 2025 now exceeds $6.75 billion.
In its May report, CrowdStrike identified DPRK-affiliated groups as the largest threat actor targeting the crypto industry by value stolen. Analysts found that campaigns focus on high-value targets, with proceeds "almost certainly laundered to fund the regime's military programs." That link between crypto theft and nuclear ambitions forms the core of the G7 statement.
Tactics: Embedded Developers and Fake Recruiters
CrowdStrike and Chainalysis describe two main approaches used by DPRK hackers. One involves placing their own IT workers inside crypto projects as apparent legitimate employees. These "developers" gain access to code, infrastructure, and often private keys. The other approach has attackers impersonating recruiters or investors to earn enough trust to reach internal systems of target companies.
Recent high-profile attacks show these methods work:
- In April 2026, Drift Protocol lost $285 million through a smart contract exploit
- In June 2026, Humanity Protocol suffered $36 million in losses, with its H token dropping 85% within 12 hours of the attack
- In both cases, researchers identified technical patterns consistent with known DPRK campaigns, including laundering routes through mixers
No official attribution has been confirmed for either attack. Verification takes time and requires detailed on-chain transaction analysis. Independent investigators, though, point to the same technical signatures seen in prior DPRK operations.
Pyongyang Denies, Industry Awaits Details
In May, a North Korean Foreign Ministry spokesperson rejected the cyberattack allegations, calling them a "politically motivated slanderous campaign." State agency KCNA described US claims of a DPRK cyber threat as "disinformation." Pyongyang has held this position for nine years, regardless of accumulated evidence.
After the G7 statement, crypto exchanges and protocols are watching for regulators to follow through. Options being discussed include enhanced KYC for large suspicious transfers, coordinated sanctions against DPRK-linked wallets, and stricter reporting requirements for anomalous transactions. G7 has put the threat on record at the level of heads of state - the next step belongs to individual governments and financial regulators.
Comments
Your email address will not be published. Required fields are marked *