76% of All Crypto Stolen in 2026 Is Now in North Korea TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity AnalyticsCyberattacks & Data BreachesThreat IntelligenceCyber RiskNews76% of All Crypto Stolen in 2026 Is Now in North KoreaNorth Korean threat actors are pulling off historic cryptocurrency heists on a yearly, sometimes weekly basis now. AI might be helping them.Nate Nelson,Contributing WriterMay 1, 20266 Min ReadSource: Lightboxx via Alamy Stock PhotoThe overwhelming majority of stolen cryptocurrency today is being used to fund the Democratic People's Republic of Korea (DPRK).Crypto theft is rampant because it's easy. The system, bereft of institutional safeguards by design, requires that individual participants secure their own assets — a task for which most are not particularly well-suited. The result: entire national GDPs worth of financial theft every year. Even just in 2025, in the US alone, including only known and reported cases, the FBI found that Americans lost more than $11 billion in crypto-focused scams run by cybercriminals such as gangsters in Southeast Asia.The biggest winner of all, though, is the DPRK. According to data from TRM Labs, North Korean hackers have been responsible for at least around a third of all financial losses from cryptocurrency in six out of the past nine years. In 2026, though, they're doing their most productive work yet. By tallying up all of the money crypto traders have reportedly lost to hackers so far this year, analysts found that 76% is now in Pyongyang.Related:Do Ceasefires Slow Cyberattacks? History Suggests NotIt isn't that North Korea is performing 76% of all crypto cyberattacks. Rather, it has become proficient in focused, low-frequency, high-reward breaches, according to TRM.Almost all of its winnings from January to April this year, for example, come down to two incidents: an attack against the "Drift Protocol" that yielded $285 million, and another against "KelpDAO" for $292 million.TRM analysts believe that these semi-regular, high-yield attacks might be in part an outgrowth of North Korea's increasing adoption of artificial intelligence (AI), helping it meaningfully upgrade reconnaissance and social engineering flows so that its attacks come out more perfectly baked.The DPRK's Hundred-Million-Dollar Crypto HeistsYears ago, the Kim Jong-Un regime came upon an insight that forever changed the trajectory of both cyberspace and geopolitics. Though the hegemonic US could limit its access to global financial markets, the DPRK observed that with each passing day, largely unsophisticated and self-fashioned traders were converting more and more dollars, euros, and pesos into unregulated and insecure cryptocurrency networks.Crypto was vulnerable to technical issues like any other digital systems were. Even better: thanks to its community's anarcho-capitalist dogma, stopping or reversing cryptocurrency theft typically involves moving mountains. A bank can kibosh a financial transfer to North Korea; cryptocurrency projects are often structurally designed to prevent anyone from doing that, and where it is possible and pressing, zealous investors often choose not to, even at the expense of their own wallets.Related:Are We Training AI Too Late?As far back as 2017 and 2018, North Korea was culpable for around a third of all stolen crypto annually. TRM data suggests that it dropped off a cliff in 2020, but recovered to pre-COVID levels by 2023. Never has it been such a menace as it's been in the past year or so, though. In 2025, two thirds of all stolen crypto went to Pyongyang. This year, so far, it's well beyond even that.Almost all of this new rise can be attributed to three, specific incidents. In February 2025, a North Korean advanced persistent threat (APT) tracked by the FBI as "TraderTraitor" (aka Jade Sleet, UNC4899) stole $1.5 billion dollars' worth of Ethereum from a crypto exchange called ByBit. On April Fool's Day this year, Citrine Sleet (aka AppleJeus, Labyrinth Chollima, UNC4736) cashed in on a monthslong social engineering gambit to swindle nearly $300 million from a leveraged trading platform, "Drift." Not even three weeks later, on April 18, TraderTraitor was back with an attack on the infrastructure underpinning another decentralized finance (DeFi) platform called "Kelp," also for nearly $300 million.Related:As Cybersecurity Firms Chase AI, VC Market SkyrocketsThough the attack chains varied, each one demonstrated the attackers' extensive technical understanding of these decentralized platforms and where their weak points lie."North Korea stole $575 million in 18 days because the infrastructure they targeted had single points of trust, no provenance validation on assets moving between systems, and governance structures that could not respond at the speed of the attack," explains Bradley Smith, senior vice president and deputy chief information security officer (CISO) at BeyondTrust. "The structural problem is that DeFi protocols are handling nation-state-scale value with startup-scale security architecture. Until the ecosystem enforces the same trust verification standards that traditional financial infrastructure requires, state-sponsored actors will keep treating it as the lowest-cost funding mechanism available to them."Can Crypto Hold Up Against AI?North Korean APTs may have been stealing crypto for a while now, and sometimes a lot of it at once. But the regularity with which it's stealing such huge sums begs the question: What's changed? As we've seen already, it's not that they're carrying out attacks more frequently."North Korean operators have long been capable social engineers, but AI is dismantling the constraints that historically limited their precision, such as language barriers, the time required to build convincing personas, the difficulty of personalizing attacks at scale," says Ari Redbord vice president and global head of policy and government affairs for TRM Labs. The benefits of AI aren't limited to social engineering, as LLMs help synthesize data and generative tools help write code. "Overall we have seen a 500% increase in AI-assisted scams over the last year. The barrier to a convincing attack has collapsed, and a state actor with the DPRK's resources and operational discipline is systematically integrating these attacks into workflows designed to steal the crypto assets that fund a nuclear program."The risk posed by Kim's state is set only to steepen, too, with frontier AI tools trained to efficiently identify and exploit cybersecurity weaknesses. Smith worries that "Smart contracts and governance structures are already insufficient against human-speed attackers. AI compresses that timeline further. We've seen critical vulnerabilities moving from proof-of-concept to mass exploitation in hours. When you apply that to smart contract ecosystems where exploits execute and settle on-chain before anyone can intervene, the window for human governance to respond is effectively zero."He argues that "Crypto ecosystems will need to build automated, real-time trust validation into the transaction layer itself. Governance votes and multisig approvals that take hours or days will not survive an AI-empowered attacker operating in minutes."Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

North Korean cybercriminal activity within the cryptocurrency landscape has escalated to a concerning degree, particularly since 2026. A substantial portion – 76% – of all crypto stolen globally is now attributed to North Korea, marking a significant shift from previous years. This heightened activity is driven by sophisticated, targeted attacks, often leveraging artificial intelligence (AI) to enhance reconnaissance and social engineering capabilities. TRM Labs data reveals that Pyongyang is responsible for approximately a third of all financial losses from cryptocurrency in six out of the past nine years, and this trend has intensified, reaching beyond two-thirds of stolen crypto by 2025 and exceeding that level in 2026. These heists primarily involve semi-regular, high-reward breaches against platforms like Drift Protocol and KelpDAO, each netting hundreds of millions of dollars.

The methodology employed by these North Korean Advanced Persistent Threat (APT) groups, tracked by the FBI, indicates a deep understanding of decentralized finance (DeFi) protocols and their vulnerabilities. They exploit single points of trust, lack of provenance validation, and weak governance structures inherent in these systems. The rise in AI’s integration significantly amplifies this threat, allowing for more precise and scalable attacks, collapsing the timeframe between vulnerability discovery and exploitation. The consistent success of these operations is attributed to the DPRK’s strategic insight that unprepared traders readily convert currency into unregulated cryptocurrency networks, exploiting the system's inherent weaknesses and limited safeguards.

Analyst Bradley Smith from BeyondTrust highlighted the critical structural problem: DeFi’s handling of national-scale value with startup-level security. The rapid pace of North Korean attacks has exposed the vulnerability of these ecosystems, particularly concerning governance responses, which typically rely on slow, manual processes. Furthermore, the rise in AI-assisted scams – a 500% increase over the past year – has dramatically lowered the barriers to conducting these attacks, with AI assisting in data synthesis and code generation.

The geopolitical implications are significant, as this stolen cryptocurrency directly funds the North Korean regime’s programs. The regularity and scale of these heists present a growing concern for cybersecurity professionals, particularly regarding the integration of AI into offensive capabilities. Concerns are raised that the sophistication of these attacks – with vulnerabilities moving from proof of concept to mass exploitation in hours – will overwhelm traditional human governance structures. To mitigate this, analysts emphasize the need for real-time trust validation mechanisms integrated into the transaction layer itself, exceeding the capabilities of current governance models. The continued rise of North Korean cybercrime exposes the vulnerability of DeFi ecosystems and demands innovative safeguards against AI-empowered threats.