{"id":97049,"date":"2026-05-12T21:15:50","date_gmt":"2026-05-12T18:15:50","guid":{"rendered":"https:\/\/u1f987.com\/en\/?p=97049"},"modified":"2026-05-12T21:20:18","modified_gmt":"2026-05-12T18:20:18","slug":"certik-reports-on-north-koreas-industrialization-of-crypto-theft","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/certik-reports-on-north-koreas-industrialization-of-crypto-theft\/","title":{"rendered":"CertiK Reports on North Korea&#8217;s &#8216;Industrialization&#8217; of Crypto Theft"},"content":{"rendered":"<p>Hacker groups linked to North Korea have turned cryptocurrency theft into a large-scale state operation with their own money laundering infrastructure and a network of IT agents, according to analysts at CertiK.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">DPRK-linked actors have stolen an estimated $6.75B across 263 crypto incidents since 2016.<\/p>\n<p>In 2025 alone, they accounted for 60% of all stolen value despite just 12% of incidents.<\/p>\n<p>Read our full Skynet DPRK Crypto Threats Report below \ud83d\udc47<a href=\"https:\/\/t.co\/06QCTVvi0E\">https:\/\/t.co\/06QCTVvi0E<\/a><\/p>\n<p>\u2014 CertiK (@CertiK) <a href=\"https:\/\/twitter.com\/CertiK\/status\/2054184827222716543?ref_src=twsrc%5Etfw\">May 12, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\u00a0<\/p>\n<p>Researchers estimate that from 2017 to early 2026, North Korean entities stole digital assets worth more than $6.7 billion in 263 incidents. The scale of losses is likely understated, as it does not account for &#8220;hundreds of small attacks&#8221; on individuals and projects in the early years of the crypto industry.<\/p>\n<p>In 2025 alone, Pyongyang-backed entities inflicted $2.06 billion in damage on the industry, accounting for approximately 60% of the total figure, despite being responsible for only 12% of incidents.\u00a0\u00a0<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-cea1e7276d1a6ec8-4210618692240408.webp\" alt=\"image\" class=\"wp-image-279906\"\/><figcaption class=\"wp-element-caption\">Damage to the crypto industry from hacks and the share of North Korean hackers by year. Source: CertiK.<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">Changes in Tactics<\/h2>\n<p>CertiK stated that North Korean groups have shifted from &#8220;chaotic attacks&#8221; to professionalized operations with clear role divisions. Some divisions focus on social engineering, while others compromise infrastructure. Money laundering is also handled by specialized personnel.<\/p>\n<p>Analysts identified periods when hackers in the industry concentrated on specific attack vectors:<\/p>\n<ol class=\"wp-block-list\">\n<li><strong>Hot wallets<\/strong> of crypto exchanges (2017-2019) \u2014 insufficient development of storage security systems required fewer resources for operations (cases like Bithumb, Coincheck, and others).<\/li>\n<li><strong>DeFi protocols and <a href=\"https:\/\/u1f987.com\/en\/news\/what-are-cross-chain-bridges\">cross-chain bridges<\/a><\/strong> (2020-2023) \u2014 became relatively accessible targets as centralized platforms strengthened cyber defenses. Examples: Ronin Bridge and Harmony Horizon.<\/li>\n<li><strong>Supply chains<\/strong> (2024-2026) \u2014 instead of directly attacking crypto exchanges, attackers shifted to compromising third-party infrastructure providers. The most notable case: theft of $1.5 billion in cryptocurrency from Bybit through a product hack from Safe.<\/li>\n<li><strong>Physical penetration<\/strong> (since 2025) \u2014 attacks began to combine social engineering methods, <a href=\"https:\/\/u1f987.com\/en\/news\/ethereum-foundation-scholar-uncovers-100-north-korean-it-agents-in-web3-firms\">infiltration of IT agents<\/a> into crypto companies, contacts with projects as fake venture investors, and technical methods. Example: <a href=\"https:\/\/u1f987.com\/en\/news\/drift-protocol-reveals-details-of-280-million-hack\">Drift Protocol<\/a> with a loss of $280 million.\u00a0<\/li>\n<\/ol>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/img-8556358d0a8bd249-4210618717115779.webp\" alt=\"image\" class=\"wp-image-279905\"\/><figcaption class=\"wp-element-caption\">Evolution of cyberattack focus by North Korean hackers. Source: CertiK.<\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">Asset Laundering<\/h2>\n<p>After the largest Bybit hack of $1.5 billion, attributed to the <a href=\"https:\/\/u1f987.com\/en\/news\/lazarus-group-what-we-know-about-the-outfit-suspected-of-the-bybit-hack\">Lazarus<\/a> group, about 86% of the stolen Ethereum funds were converted into Bitcoin in less than a month.<\/p>\n<p>To obscure the trail, the following were used:<\/p>\n<ul class=\"wp-block-list\">\n<li>rapid transfers of assets between different blockchains (chain hopping);<\/li>\n<li>cross-chain bridges;<\/li>\n<li>crypto mixers;<\/li>\n<li>over-the-counter brokers;<\/li>\n<li>underground banking networks in Asia.<\/li>\n<\/ul>\n<p>Analysts emphasized that the money laundering infrastructure has become &#8220;as important as the attacks themselves&#8221; for the hackers.<\/p>\n<h2 class=\"wp-block-heading\">&#8216;Army of IT Workers&#8217;<\/h2>\n<p>Researchers identified a separate threat from North Korean IT specialists who pose as remote employees to <a href=\"https:\/\/u1f987.com\/en\/news\/password-123456-exposes-a-dprk-it-worker-network-in-crypto\">infiltrate Western companies<\/a>.<\/p>\n<p>These agents can:\u00a0<\/p>\n<ul class=\"wp-block-list\">\n<li>gain access to internal systems;<\/li>\n<li><a href=\"https:\/\/u1f987.com\/en\/news\/north-korean-agents-secretly-developed-code-for-leading-defi-projects-for-seven-years\">participate in code development<\/a>;<\/li>\n<li>embed malicious components;<\/li>\n<li>gather data for future attacks.<\/li>\n<\/ul>\n<p>In some cases, AI tools and deepfake technologies were used to pass interviews.<\/p>\n<p>The North Korean Foreign Ministry <a href=\"https:\/\/u1f987.com\/en\/news\/north-korea-dismisses-accusations-of-cryptocurrency-hacks-as-absurd-slander\">denied accusations<\/a> of the country&#8217;s involvement in cryptocurrency thefts, calling such claims &#8220;absurd slander&#8221; and a &#8220;political tool&#8221; of the United States.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hacker groups linked to North Korea have turned cryptocurrency theft into a large-scale state operation with their own money laundering infrastructure and a network of IT agents, according to analysts at CertiK.<\/p>\n","protected":false},"author":1,"featured_media":97050,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"North Korean hackers industrialize crypto theft, says CertiK.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1204,44,1202],"class_list":["post-97049","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-certik","tag-cybercrime","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"3","promo_type":"1","layout_type":"1","short_excerpt":"North Korean hackers industrialize crypto theft, says CertiK.","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/97049","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=97049"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/97049\/revisions"}],"predecessor-version":[{"id":97051,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/97049\/revisions\/97051"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/97050"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=97049"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=97049"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=97049"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}