CertiK published its annual Skynet report, finding that hackers linked to North Korea stole $2.06 billion in 2025. That figure represents 60% of total industry crypto losses, which reached $3.4 billion for the year. After reviewing 656 documented incidents, researchers concluded that Pyongyang has turned cryptocurrency theft into a permanent state revenue mechanism.
Scale of Operations Over the Past Year and Decade
North Korea-linked groups were behind 79 of the 656 documented incidents, accounting for 12% of the total attack count. Yet the $2.06 billion they collected from a total $3.4 billion loss was 60% of all industry damage. That gap between attack frequency and stolen value shows the strategy: fewer hits, but much bigger targets.
From 2016 through early 2026, researchers documented 263 attacks and $6.75 billion in stolen assets, with data compiled by independent on-chain researcher Taylor Monahan and incorporated into CertiK's analysis. In 2026, the trend continues: North Korean groups account for 55% of global crypto losses through the first months of the year.
The report cites UN monitors and US intelligence assessments linking the theft proceeds to funding North Korea's nuclear and ballistic missile programs. The issue has moved well beyond industry cybersecurity and into international security discussions.
From Phishing to Physical Infiltration of Project Teams
Social engineering remains the primary initial access method. CertiK identifies three main approaches: fake job offers, impersonation of investors, and malicious code repositories. The 2022 Ronin Bridge attack started with a fake LinkedIn recruiter profile and a malware-laced PDF.
The Bybit hack in February 2025 added supply chain compromise to the group's methods. TraderTraitor breached a third-party transaction signing provider and rerouted fund withdrawals without changing what appeared in the victims' wallet interfaces. The destination addresses were swapped invisibly, allowing the group to drain roughly $1.5 billion.
The April 2026 Drift Protocol attack is described in the report as "physical infiltration." The operation ran for six months, with group members attending industry conferences under false identities and building personal trust with project developers. They then manipulated the protocol's governance mechanism to drain $285 million from the Solana-based platform. CertiK analyst Jonathan Riss described the approach in comments accompanying the report as a fusion of intelligence tradecraft and technical exploitation.
Laundering Funds Through Bridges and Decentralized Exchanges
After securing $1.5 billion, the hackers moved into large-scale asset conversion. CertiK's data shows 86% of the stolen Ethereum was converted to Bitcoin within one month. The process ran through mixers, cross-chain bridges, decentralized exchanges, and OTC brokers. More than $1 billion from the Bybit haul is still estimated to be inside the laundering network.
Researchers call this infrastructure the "Chinese laundromat": a network of underground bankers, trade intermediaries, and trade-based money laundering operators. US Department of Justice filings show one wallet tied to a representative of North Korea's sanctioned Foreign Trade Bank processed more than $24 million between August 2021 and March 2023.
US Response and CertiK Recommendations
The US Department of Justice filed a civil forfeiture complaint in June 2025 targeting $7.7 million in crypto assets linked to a North Korean IT worker laundering network. CertiK outlined a set of measures for companies at risk:
- mandatory video interviews and document verification during hiring
- zero-trust access control policies across all systems
- technical hardening of cross-chain bridges and hot wallets
- regular audits of external vendors with access to infrastructure
The shift from opportunistic to systematic attacks confirms that North Korea treats crypto theft as a long-term financial tool. Without coordinated action from the industry and regulators, 2026's numbers stand a real chance of surpassing 2025.
Comments
Your email address will not be published. Required fields are marked *