North Korea Launders Billions in Crypto, Shifts to Infiltration

A CertiK report titled Skynet DPRK Crypto Threats Report documents cryptocurrency thefts and laundering linked to North Korean actors from 2016 through early 2026. The report records 263 thefts that total about $6.75 billion in stolen digital assets and links proceeds to funding for North Korea’s nuclear and ballistic missile programs. CertiK notes the total is likely understated.

In 2025 the firm tracked 656 crypto security incidents worldwide. Of those, 79 incidents were attributed to DPRK-linked groups and accounted for $2.06 billion, or roughly 60% of the $3.4 billion in reported losses for the year, while representing about 12% of attacks. So far in 2026, DPRK-linked actors are credited with $620.9 million of $1.1 billion in reported losses, including a $291 million exploit targeting KelpDAO.

The report documents a change in tactics. Early campaigns relied more on exploitable smart contracts and protocol vulnerabilities. Recent operations increasingly use social engineering, supply-chain compromises and physical infiltration to obtain credentials and privileged access. CertiK records cases where operatives reportedly posed as employees or contractors to gain insider access to organizations.

The report highlights how quickly stolen funds are converted and moved after a breach. In the Bybit incident cited by CertiK, 86% of the Ethereum taken was converted into Bitcoin in under a month using a mix of cryptocurrency tumblers and exchange channels. The report says those conversion patterns complicate recovery and forensic tracing and indicate established laundering pipelines able to handle large transfers with limited slippage or detection.

CertiK describes a broader operational evolution in which phishing, supply-chain manipulation and in-person tactics are combined with technical exploits to secure credentials, access and exit routes for stolen assets. The activity is presented in the report as coordinated and scaled to generate sustained revenue for state programs rather than isolated criminal incidents.

The report notes attribution challenges and incomplete public reporting, which could mean actual losses tied to DPRK-linked groups are higher than current totals. It recommends that crypto firms expand security controls to include stricter insider-threat screening, stronger supply-chain oversight and continuous monitoring of fund flows to detect rapid conversions through mixers and exchanges.