North Korea-linked hackers laundered $2.06B in crypto

CertiK’s Skynet report finds hackers tied to North Korea stole and laundered roughly $2.06 billion of an estimated $3.4 billion in cryptocurrency losses in 2025. The report attributes those funds to DPRK-linked groups across 79 of 656 documented incidents that year.

The 79 incidents accounted for about 60% of the value lost in 2025 while representing roughly 12% of all incidents, the report says. CertiK draws on onchain tracing and open-source data, and cites independent researcher Taylor Monahan for a longer-term estimate that DPRK-linked actors stole about $6.75 billion across 263 documented incidents from 2016 through early 2026.

CertiK reports that stolen funds have been used to help finance the Democratic People’s Republic of Korea’s nuclear and ballistic missile programs, citing United Nations monitors and U.S. intelligence assessments referenced in the study.

The Skynet analysis describes a shift in tactics from opportunistic hot wallet compromises to fewer, higher-value operations that target large pools of capital. The single largest incident identified for 2025 was a February exploit of the Bybit platform that resulted in roughly $1.5 billion in losses. CertiK attributes that breach to the TraderTraitor cluster and links it to a supply-chain compromise of a third-party signing provider.

In the Bybit case, CertiK’s onchain tracing found about 86% of the stolen Ether was converted into Bitcoin within one month. The conversions used mixing services, cross-chain bridges, decentralized exchanges and over-the-counter brokers, according to the report.

The report traces the evolution of DPRK tactics through several high-profile attacks. It links the 2022 Ronin Bridge exploit to a spearphishing campaign that used a fake LinkedIn recruiter and a malware-laden PDF. The April 2026 Drift Protocol incident on Solana, which drained about $285 million, is described as a six-month operation that involved conference attendance, relationship-building and governance manipulation; CertiK labels that approach “physical infiltration.”

Jonathan Riss, a blockchain intelligence analyst at CertiK, described DPRK-linked operations as blending “intelligence tradecraft with technical exploits” and warned that information technology workers and intermediaries connected to the regime can obtain trusted roles inside Western crypto and fintech firms under false identities.

CertiK’s onchain analysis documents common laundering paths. Stolen tokens were rapidly converted across chains, routed through mixers and decentralized exchanges, and coordinated with over-the-counter brokers to move value into assets and accounts that are harder to trace. The report presents those techniques as the principal methods used to obscure the origin of funds.

The report frames the pattern as sustained and strategic, with a small number of high-value incidents driving a large share of losses in 2025. CertiK’s findings include detailed incident totals, conversion timelines and attribution claims for named exploits cited in the study.