The overwhelming majority of stolen cryptocurrency today is being used to fund the Democratic People’s Republic of Korea (DPRK).
Crypto theft is rampant because it’s easy. The system, bereft of institutional safeguards by design, requires that individual participants secure their own assets — a task for which most are not particularly well-suited. The result: entire national GDPs worth of financial theft every year. Even just in 2025, in the US alone, including only known and reported cases, the FBI found that Americans lost more than $11 billion in crypto-focused scams run by cybercriminals such as gangsters in Southeast Asia.
The biggest winner of all, though, is the DPRK. According to data from TRM Labs, North Korean hackers have been responsible for at least around a third of all financial losses from cryptocurrency in six out of the past nine years. In 2026, though, they’re doing their most productive work yet. By tallying up all of the money crypto traders have reportedly lost to hackers so far this year, analysts found that 76% is now in Pyongyang.
It isn’t that North Korea is performing 76% of all crypto cyberattacks. Rather, it has become proficient in focused, low-frequency, high-reward breaches, according to TRM.
Almost all of its winnings from January to April this year, for example, come down to two incidents: an attack against the “Drift Protocol” that yielded $285 million, and another against “KelpDAO” for $292 million.
TRM analysts believe that these semi-regular, high-yield attacks might be in part an outgrowth of North Korea’s increasing adoption of artificial intelligence (AI), helping it meaningfully upgrade reconnaissance and social engineering flows so that its attacks come out more perfectly baked.
The DPRK’s Hundred-Million-Dollar Crypto Heists
Years ago, the Kim Jong-Un regime came upon an insight that forever changed the trajectory of both cyberspace and geopolitics. Though the hegemonic US could limit its access to global financial markets, the DPRK observed that with each passing day, largely unsophisticated and self-fashioned traders were converting more and more dollars, euros, and pesos into unregulated and insecure cryptocurrency networks.
Crypto was vulnerable to technical issues like any other digital systems were. Even better: thanks to its community’s anarcho-capitalist dogma, stopping or reversing cryptocurrency theft typically involves moving mountains. A bank can kibosh a financial transfer to North Korea; cryptocurrency projects are often structurally designed to prevent anyone from doing that, and where it is possible and pressing, zealous investors often choose not to, even at the expense of their own wallets.
As far back as 2017 and 2018, North Korea was culpable for around a third of all stolen crypto annually. TRM data suggests that it dropped off a cliff in 2020, but recovered to pre-COVID levels by 2023. Never has it been such a menace as it’s been in the past year or so, though. In 2025, two thirds of all stolen crypto went to Pyongyang. This year, so far, it’s well beyond even that.
Almost all of this new rise can be attributed to three, specific incidents. In February 2025, a North Korean advanced persistent threat (APT) tracked by the FBI as “TraderTraitor” (aka Jade Sleet, UNC4899) stole $1.5 billion dollars’ worth of Ethereum from a crypto exchange called ByBit. On April Fool’s Day this year, Citrine Sleet (aka AppleJeus, Labyrinth Chollima, UNC4736) cashed in on a monthslong social engineering gambit to swindle nearly $300 million from a leveraged trading platform, “Drift.” Not even three weeks later, on April 18, TraderTraitor was back with an attack on the infrastructure underpinning another decentralized finance (DeFi) platform called “Kelp,” also for nearly $300 million.
Though the attack chains varied, each one demonstrated the attackers’ extensive technical understanding of these decentralized platforms and where their weak points lie.
“North Korea stole $575 million in 18 days because the infrastructure they targeted had single points of trust, no provenance validation on assets moving between systems, and governance structures that could not respond at the speed of the attack,” explains Bradley Smith, senior vice president and deputy chief information security officer (CISO) at BeyondTrust. “The structural problem is that DeFi protocols are handling nation-state-scale value with startup-scale security architecture. Until the ecosystem enforces the same trust verification standards that traditional financial infrastructure requires, state-sponsored actors will keep treating it as the lowest-cost funding mechanism available to them.”
Can Crypto Hold Up Against AI?
North Korean APTs may have been stealing crypto for a while now, and sometimes a lot of it at once. But the regularity with which it’s stealing such huge sums begs the question: What’s changed? As we’ve seen already, it’s not that they’re carrying out attacks more frequently.
“North Korean operators have long been capable social engineers, but AI is dismantling the constraints that historically limited their precision, such as language barriers, the time required to build convincing personas, the difficulty of personalizing attacks at scale,” says Ari Redbord vice president and global head of policy and government affairs for TRM Labs. The benefits of AI aren’t limited to social engineering, as LLMs help synthesize data and generative tools help write code. “Overall we have seen a 500% increase in AI-assisted scams over the last year. The barrier to a convincing attack has collapsed, and a state actor with the DPRK’s resources and operational discipline is systematically integrating these attacks into workflows designed to steal the crypto assets that fund a nuclear program.”
The risk posed by Kim’s state is set only to steepen, too, with frontier AI tools trained to efficiently identify and exploit cybersecurity weaknesses. Smith worries that “Smart contracts and governance structures are already insufficient against human-speed attackers. AI compresses that timeline further. We’ve seen critical vulnerabilities moving from proof-of-concept to mass exploitation in hours. When you apply that to smart contract ecosystems where exploits execute and settle on-chain before anyone can intervene, the window for human governance to respond is effectively zero.”
He argues that “Crypto ecosystems will need to build automated, real-time trust validation into the transaction layer itself. Governance votes and multisig approvals that take hours or days will not survive an AI-empowered attacker operating in minutes.”
Don’t miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!
