When the history of cryptocurrency’s first decade is written, one of its most uncomfortable chapters will be about North Korea.

Since 2017, hackers operating under the direction of the DPRK’s Reconnaissance General Bureau β€” primarily through the threat actor cluster known as the Lazarus Group and its sub-units β€” have stolen more than $6 billion in cryptocurrency. In 2026 alone, through April, North Korean operatives are responsible for approximately 76% of all crypto hack losses, according to TRM Labs. That translates to $577 million of the $759 million total stolen in the first four months of the year.

This is not a peripheral data point in the crypto security landscape. North Korea is the single dominant threat actor in the space. It is better resourced, more patient, and more sophisticated than any criminal organization operating in the same arena. And the funds it steals are not going to personal enrichment β€” they are going to a state weapons program under international sanctions, specifically to fund missile and nuclear development.

The crypto industry has been slow to internalize what this means. This article attempts to provide a clear picture.

The Scale: $6 Billion Since 2017

TRM Labs’ estimate of $6 billion in total DPRK crypto theft since 2017 is a conservative figure. It includes only incidents where attribution confidence is medium or higher based on on-chain analysis, operational tradecraft, and corroborating intelligence. Incidents with lower confidence attribution β€” or those where fund movements have been completely obscured β€” are not included.

The actual total may be significantly higher.

Year-by-year highlights:

  • 2017-2018: Early operations targeting South Korean exchanges. Youbit exchange forced into bankruptcy after two DPRK-linked attacks. Estimated losses: $500M+
  • 2019-2020: Expansion to global targets. Multiple exchange hacks. Estimated losses: $300M+
  • 2021: Axie Infinity’s Ronin bridge breach in March ($625M) became, at the time, the largest crypto hack in history. Attributed to Lazarus Group by the FBI
  • 2022: Horizon Bridge ($100M), multiple smaller protocol hacks. Estimated annual losses: $800M+
  • 2023: Atomic Wallet ($100M), Alphapo, CoinsPaid. Estimated annual losses: $600M+
  • 2024: Radiant Capital ($50M), multiple exchange compromises. Estimated annual losses: $400M+
  • 2025: Bybit ($1.5B, February 2025) β€” the largest single crypto theft in history, attributed to Lazarus Group. Full-year estimated losses: $1.3B+
  • 2026 (Jan-Apr): Drift Protocol ($285M), KelpDAO ($293M), multiple smaller incidents. $577M in four months

The trajectory is not declining. It is accelerating.

Who Is the Lazarus Group?

β€œLazarus Group” is an umbrella term used by Western cybersecurity firms and governments to describe a constellation of DPRK state-sponsored cyber operations. The label covers several distinct sub-units with specialized functions:

APT38 (BlueNoroff): Focused on financial system intrusion β€” SWIFT network attacks against banks, exchange hacks, and financial infrastructure compromise. Responsible for the 2016 Bangladesh Bank heist ($81M) and multiple exchange compromises.

UNC4736 (Citrine Sleet / Gleaming Pisces / Golden Chollima): The unit attributed to the Drift Protocol and Bybit hacks. Specializes in long-duration social engineering operations targeting DeFi protocols, using fake professional identities to infiltrate governance and key management.

TraderTraitor: Identified by the FBI and CISA as responsible for targeting crypto industry employees with malicious trading applications, fake job offers, and compromised software packages. Used against multiple centralized exchanges.

AppleJeus: Specializes in supply chain attacks β€” compromising software development tools, package managers, and update mechanisms used by crypto firms to insert malicious code into their own build processes.

These units are not independent. They share infrastructure, coordinate operations, and are directed by the DPRK’s Reconnaissance General Bureau (RGB), which functions as the country’s primary foreign intelligence service.

How the Money Gets Stolen

DPRK operations have evolved significantly from their early focus on exchange hacks through direct credential compromise. Current tactics span three broad categories:

Social Engineering at Scale

The Drift Protocol attack represents the current pinnacle of DPRK social engineering: a six-month operation using fake professional identities, in-person conference attendance through third-party proxies, and sustained relationship-building with specific targets β€” all to position attackers to manipulate governance processes.

Similar (though shorter) social engineering operations have preceded multiple 2025-2026 hacks:

  • Fake recruiters approach crypto engineers with lucrative job offers containing malicious technical assessments
  • Fake investment firms approach protocol founders seeking β€œintegration partnerships”
  • Fake VC representatives conduct extended due diligence processes that include requests for sensitive technical documentation
  • Fake auditors offer free security reviews that involve installing compromised tooling

The common thread: patience, specificity, and professional presentation. DPRK operators at this level do not send obvious phishing emails. They build real relationships over weeks or months before executing their payload.

Supply Chain Compromise

Several 2024-2025 DPRK incidents involved compromise of software supply chains β€” inserting malicious code into npm packages, Python libraries, or build tools used by crypto firms. When the target company’s developers install or update the compromised package, the malicious code runs in their development environment and exfiltrates private keys, credentials, and seed phrases.

This vector is particularly dangerous because it bypasses most perimeter security: the attack comes through trusted internal tooling, not through external network access.

Protocol-Level Exploitation

When social engineering and supply chain attacks are not viable, DPRK units conduct direct technical exploitation β€” finding vulnerabilities in smart contracts, bridge infrastructure, and oracle systems. The KelpDAO hack’s exploitation of a 1-of-1 LayerZero verifier configuration is one example. Multiple earlier bridge hacks involved direct exploitation of smart contract logic.

Technical exploits require significant advance reconnaissance β€” understanding the target protocol’s architecture, testing attack conditions in forked environments, and preparing execution infrastructure. This work is done by teams of trained engineers working full-time on crypto security research. DPRK operates what is effectively a professional red team with a budget to match.

How the Money Gets Laundered

The sophistication of DPRK theft operations is matched by the sophistication of their laundering infrastructure. Recovering funds after attribution is extremely rare because the laundering process is fast, layered, and specifically designed to defeat blockchain analytics.

Stage 1: Rapid cross-chain movement Within hours of a theft, funds are bridged from their origin chain (often Solana or an L2) to Ethereum, where larger liquidity and more mixer options exist. This breaks the direct on-chain chain of custody.

Stage 2: Mixer usage DPRK operations have extensively used Tornado Cash (before its OFAC designation), Sinbad.io (also sanctioned), and other mixing protocols to obscure fund origins. Post-mixer, funds emerge in fresh addresses with no direct on-chain connection to the theft.

Stage 3: Chain-hopping Funds cycle through multiple blockchain networks β€” Ethereum β†’ Avalanche β†’ BSC β†’ Bitcoin β€” using non-KYC bridges and DEXes to further break the chain of custody.

Stage 4: OTC conversion Final conversion to fiat (typically through Chinese OTC brokers or peer-to-peer markets in jurisdictions with weak AML enforcement) completes the laundering cycle. OFAC has sanctioned specific OTC networks linked to DPRK laundering, but the ecosystem regenerates quickly.

The full cycle from theft to clean fiat has historically taken 3-12 months. Recent operations appear to be compressing this timeline.

Why the Crypto Industry’s Response Has Been Inadequate

The industry’s response to North Korea as a systematic threat has been reactive, fragmented, and slow. Several structural problems explain this:

Decentralization as an excuse: DeFi protocols, in particular, have sometimes treated β€œwe have no central entity to coordinate with” as an answer to governance and security questions that demand better solutions. Coordination on DPRK threat intelligence does not require centralization β€” it requires will.

Short-termism in security investment: Security budgets are frequently treated as a cost center, slashed when protocols face financial pressure, and oriented toward smart contract audits (which address only one attack vector) rather than comprehensive security programs.

Insufficient information sharing: Blockchain analytics firms hold DPRK attribution data β€” wallet clusters, social media personas used in social engineering, organizational front companies. This data is not systematically shared with the protocol-level contributors who are actual targets. The gap between intelligence and operational security is significant.

Regulatory reluctance: The crypto industry has historically resisted the kind of state engagement that would improve DPRK threat response β€” information sharing with intelligence agencies, mandatory incident reporting, sanctions compliance programs. The calculus here needs to change. DPRK is a nation-state adversary. The appropriate response involves nation-state tools.

What Effective Response Looks Like

Protocol-level: Every DeFi protocol with governance mechanisms must implement social engineering awareness programs as part of its core security practice. Governance signers should be trained to recognize manipulation patterns, verify transaction contents before signing, and apply mandatory timelocks to all administrative actions.

Industry-level: A shared intelligence platform β€” modeled on the Financial Services ISAC or analogous cybersecurity sharing bodies β€” should aggregate DPRK-attributed indicators of compromise, social engineering personas, and infrastructure fingerprints and make them available to protocol security teams in real time.

Government engagement: The crypto industry should actively engage OFAC, FBI, and Treasury’s FinCEN on DPRK threat intelligence. This is not about inviting regulation β€” it is about accessing resources that exist specifically to combat the adversary that is doing the most damage.

Exchange-level: Centralized exchanges are the final choke point in most DPRK laundering chains. Enhanced screening for DPRK-attributed wallets, mandatory delays on large withdrawals to new addresses, and real-time OFAC screening are baseline requirements that all major exchanges should be meeting.

The Weapons Program Connection

The UN Panel of Experts has estimated that crypto theft funds a material proportion of North Korea’s ballistic missile and nuclear weapons development programs. This is not speculation β€” it is documented in UN Security Council reports with specific transaction analysis linking DPRK-attributed crypto proceeds to weapons procurement networks.

Every time a DeFi protocol is exploited by Lazarus Group, real money flows toward weapons development by a government that has threatened nuclear strikes against its neighbors. The crypto industry is not just a victim in this story. It is, through security failures that are preventable, an inadvertent contributor to a geopolitical threat.

This is a difficult sentence for an industry built on permissionless access and decentralization. But it is the accurate sentence, and it demands a response proportionate to what is actually happening.

This article is provided for informational purposes only.

Sources: