North Korean hackers stole two-thirds of crypto in 2026: report

1 hour ago 2



  1. Homepage
  2. >
  3. News
  4. >
  5. Business
  6. >
  7. North Korean hackers stole two-thirds of crypto in 2026: report

North Korea-linked groups were responsible for around two-thirds of digital asset hacking losses worldwide in the first half of 2026, according to a new report by blockchain analytics firm TRM Labs, which also found that overall losses are down compared to last year.

The report, published July 1, revealed that attackers have carried out 207 separate hacks over the last six months, “the highest number TRM has recorded in any six-month period,” said the firm.

Despite the increase in incidents, the total losses were actually down compared to the same period last year, from $2.3 billion in the first half of 2025 to $972 million in 2026.

Of this latter figure, North Korean state-linked entities accounted for 66.2%, roughly $643 million, with TRM Labs attributing the majority to two major attacks: a $285 million breach of decentralized finance (DeFi) platform Drift in April and a $292 million hack of another DeFi platform, KelpDAO.

The overall amount stolen by North Korea state-linked entities was also well below the roughly $1.7 billion they stole in the first half of 2025. However, TRM suggests that hacking is just the tip of the iceberg in heavily sanctioned countries’ crypto money-making schemes.

“It is also important to note that these figures include only hacks and exploits,” said TRM. “North Korea continues to generate cryptocurrency through other illicit activity, including phishing campaigns, social engineering, fraud, scams, and covert IT worker operations. As a result, the USD 643 million reflected here represents only one portion of its overall crypto revenue.”

According to the report, another notable trend this year was that infrastructure and operational compromises accounted for only about 15% of incidents but roughly 76% of total losses, far exceeding the impact of more than 100 smaller smart contract exploits.

“The first half of 2026 demonstrates that crypto security has entered a new phase,” said TRM. “Large infrastructure compromises continue to drive the industry’s biggest financial losses, while a growing number of smaller smart contract exploits are pushing incident counts to record levels.”

It added that “a single successful operation against a major target can still outweigh months of losses from every other attacker combined.”

North Korea’s persistent hacking threat

The latest report from TRM demonstrates that the threat posed by North Korea’s seemingly relentless hacking operations shows no signs of stopping or even slowing.

North Korea is the third most sanctioned country in the world—behind only Russia and Iran—with restrictions limiting its access to the global financial system and international trade, leaving it increasingly isolated and economically precarious.

States facing such sanctions are often drawn to the digital asset space because it can provide alternative channels for moving, storing, or raising funds outside parts of the traditional financial system, even as major digital assets and exchanges are increasingly subject to regulation, compliance requirements, and blockchain-based tracking by authorities.

The state-backed digital asset hacking operations of North Korea are a prime example of this and have been among the most profitable by any nation.

In 2023, a U.S.-based cybersecurity firm, Recorded Future, released a report suggesting that, through its hacking, the country had generated over $3 billion over the previous six years.

This success apparently led to a doubling down, with blockchain analytics firm Chainalysis reporting that North Korean hackers stole $1.34 billion in digital assets across 47 incidents in 2024, accounting for 61% of the year’s total.

In December 2024, the U.S. Federal Bureau of Investigation (FBI) also announced that North Korean cyber actors were behind the $308 million digital asset theft from Japan-based digital asset firm DMM Bitcoin—a hack that led to South Korea imposing further sanctions on 15 members of North Korean IT organizations and one related company involved in illicit cyber activities, including digital asset heists.

Early last year, the notorious North Korea-linked hacking group “Lazarus” targeted the digital asset exchange Bybit, stealing over $1.4 billion in Ethereum (ETH), marking the largest exploit of its kind—crypto or otherwise.

A few months later, in August 2025, it was revealed that North Korea’s ever-evolving hacking operations had moved into the international job market, using AI tools to pose as remote IT workers and offering fake IT jobs to gain access to Western companies’ cloud systems.

The pariah state’s use of AI has only continued to evolve since then. More recently, in February 2026, Google’s (NASDAQ: GOOGL) cybersecurity firm, Mandiant, warned that North Korean “threat actors” were using AI-generated deepfakes to deceive victims in fake Zoom videos targeting digital currency and DeFi entities.

Based on the latest TRM report, this pattern looks set to continue, with the report highlighting that “North Korea remained the single largest source of stolen value” in the first halves of both 2025 and 2026.

Watch: Can Blockchain Recover Stolen Crypto? BSV Says Yes

Read Entire Article