76% of All Crypto Stolen in 2026 Is Now in North Korea

CYBERSECURITY ANALYTICS CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE CYBER RISK NEWS 76% of All Crypto Stolen in 2026 Is Now in North Korea North Korean threat actors are pulling off historic cryptocurrency heists on a yearly, sometimes weekly basis now. AI might be helping them. Nate Nelson,Contributing Writer May 1, 2026 6 Min Read SOURCE: LIGHTBOXX VIA ALAMY STOCK PHOTO The overwhelming majority of stolen cryptocurrency today is being used to fund the Democratic People's Republic of Korea (DPRK). Crypto theft is rampant because it's easy. The system, bereft of institutional safeguards by design, requires that individual participants secure their own assets — a task for which most are not particularly well-suited. The result: entire national GDPs worth of financial theft every year. Even just in 2025, in the US alone, including only known and reported cases, the FBI found that Americans lost more than $11 billion in crypto-focused scams run by cybercriminals such as gangsters in Southeast Asia. The biggest winner of all, though, is the DPRK. According to data from TRM Labs, North Korean hackers have been responsible for at least around a third of all financial losses from cryptocurrency in six out of the past nine years. In 2026, though, they're doing their most productive work yet. By tallying up all of the money crypto traders have reportedly lost to hackers so far this year, analysts found that 76% is now in Pyongyang. Related:Do Ceasefires Slow Cyberattacks? History Suggests Not It isn't that North Korea is performing 76% of all crypto cyberattacks. Rather, it has become proficient in focused, low-frequency, high-reward breaches, according to TRM. Almost all of its winnings from January to April this year, for example, come down to two incidents: an attack against the "Drift Protocol" that yielded $285 million, and another against "KelpDAO" for $292 million. TRM analysts believe that these semi-regular, high-yield attacks might be in part an outgrowth of North Korea's increasing adoption of artificial intelligence (AI), helping it meaningfully upgrade reconnaissance and social engineering flows so that its attacks come out more perfectly baked. The DPRK's Hundred-Million-Dollar Crypto Heists Years ago, the Kim Jong-Un regime came upon an insight that forever changed the trajectory of both cyberspace and geopolitics. Though the hegemonic US could limit its access to global financial markets, the DPRK observed that with each passing day, largely unsophisticated and self-fashioned traders were converting more and more dollars, euros, and pesos into unregulated and insecure cryptocurrency networks. Crypto was vulnerable to technical issues like any other digital systems were. Even better: thanks to its community's anarcho-capitalist dogma, stopping or reversing cryptocurrency theft typically involves moving mountains. A bank can kibosh a financial transfer to North Korea; cryptocurrency projects are often structurally designed to prevent anyone from doing that, and where it is possible and pressing, zealous investors often choose not to, even at the expense of their own wallets. Related:Are We Training AI Too Late? As far back as 2017 and 2018, North Korea was culpable for around a third of all stolen crypto annually. TRM data suggests that it dropped off a cliff in 2020, but recovered to pre-COVID levels by 2023. Never has it been such a menace as it's been in the past year or so, though. In 2025, two thirds of all stolen crypto went to Pyongyang. This year, so far, it's well beyond even that. Almost all of this new rise can be attributed to three, specific incidents. In February 2025, a North Korean advanced persistent threat (APT) tracked by the FBI as "TraderTraitor" (aka Jade Sleet, UNC4899) stole $1.5 billion dollars' worth of Ethereum from a crypto exchange called ByBit. On April Fool's Day this year, Citrine Sleet (aka AppleJeus, Labyrinth Chollima, UNC4736) cashed in on a monthslong social engineering gambit to swindle nearly $300 million from a leveraged trading platform, "Drift." Not even three weeks later, on April 18, TraderTraitor was back with an attack on the infrastructure underpinning another decentralized finance (DeFi) platform called "Kelp," also for nearly $300 million. Related:As Cybersecurity Firms Chase AI, VC Market Skyrockets Though the attack chains varied, each one demonstrated the attackers' extensive technical understanding of these decentralized platforms and where their weak points lie. "North Korea stole $575 million in 18 days because the infrastructure they targeted had single points of trust, no provenance validation on assets moving between systems, and governance structures that could not respond at the speed of the attack," explains Bradley Smith, senior vice president and deputy chief information security officer (CISO) at BeyondTrust. "The structural problem is that DeFi protocols are handling nation-state-scale value with startup-scale security architecture. Until the ecosystem enforces the same trust verification standards that traditional financial infrastructure requires, state-sponsored actors will keep treating it as the lowest-cost funding mechanism available to them." Can Crypto Hold Up Against AI? North Korean APTs may have been stealing crypto for a while now, and sometimes a lot of it at once. But the regularity with which it's stealing such huge sums begs the question: What's changed? As we've seen already, it's not that they're carrying out attacks more frequently. "North Korean operators have long been capable social engineers, but AI is dismantling the constraints that historically limited their precision, such as language barriers, the time required to build convincing personas, the difficulty of personalizing attacks at scale," says Ari Redbord vice president and global head of policy and government affairs for TRM Labs. The benefits of AI aren't limited to social engineering, as LLMs help synthesize data and generative tools help write code. "Overall we have seen a 500% increase in AI-assisted scams over the last year. The barrier to a convincing attack has collapsed, and a state actor with the DPRK's resources and operational discipline is systematically integrating these attacks into workflows designed to steal the crypto assets that fund a nuclear program." The risk posed by Kim's state is set only to steepen, too, with frontier AI tools trained to efficiently identify and exploit cybersecurity weaknesses. Smith worries that "Smart contracts and governance structures are already insufficient against human-speed attackers. AI compresses that timeline further. We've seen critical vulnerabilities moving from proof-of-concept to mass exploitation in hours. When you apply that to smart contract ecosystems where exploits execute and settle on-chain before anyone can intervene, the window for human governance to respond is effectively zero." He argues that "Crypto ecosystems will need to build automated, real-time trust validation into the transaction layer itself. Governance votes and multisig approvals that take hours or days will not survive an AI-empowered attacker operating in minutes." Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now! About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? More Webinars You May Also Like CYBERSECURITY ANALYTICS In Cybersecurity, Claude Leaves Other LLMs in the Dust by Nate Nelson, Contributing Writer DEC 17, 2025 CYBERSECURITY ANALYTICS How Agentic AI Can Boost Cyber Defense by Jeffrey Schwartz DEC 04, 2025 CYBERSECURITY ANALYTICS Mideast, African Hackers Target Gov'ts, Banks, Small Retailers by Nate Nelson, Contributing Writer OCT 23, 2025 CYBERSECURITY ANALYTICS Commentary Section Launches New, More Opinionated Era by Becky Bracken OCT 10, 2025 Editor's Choice СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ CYBER RISK 20-Year-Old Malware Rewrites History of Cyber Sabotage byJai Vijayan APR 27, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS