The $6.75B Problem: How North Korea Turned Cryptocurrency Into A Nuclear Revenue Stream
In Brief
North Korea has stolen $6.75B in crypto since 2016, funding its weapons programs. How Pyongyang turned blockchain into a nuclear revenue machine — and why the industry can’t stop it.
When most people think about cryptocurrency theft, they picture opportunistic hackers looking for a quick payday. The reality of North Korea’s decade-long campaign against the crypto industry is something categorically different — a state-directed, industrialized operation that has quietly become one of the most consequential funding mechanisms for a nuclear weapons program.
A new report from Web3 security firm CertiK, drawing on blockchain forensics and independent on-chain research from analyst Taylor Monahan, puts a number to the scale of this operation: $6.75 billion stolen across 263 incidents since 2016. That figure alone would be staggering. But the trend lines are what should truly alarm anyone paying attention. In 2025, DPRK-linked actors were responsible for roughly 60% of all value stolen in the cryptocurrency sector — despite accounting for only 12% of total incidents. Fewer attacks, but each one more devastating than the last.
The single largest heist in crypto history belongs to North Korea. In February 2025, the Bybit exchange was drained of $1.5 billion in a meticulously orchestrated operation that didn’t involve breaking a single smart contract. Instead, the attackers compromised a developer at Safe{Wallet}, a third-party multisig platform Bybit relied upon, stole AWS session tokens to bypass multi-factor authentication, and then manipulated the transaction interface so that Bybit employees approved what appeared to be a routine transfer. The underlying code was routing funds to a malicious address the entire time. By the time anyone realized what had happened, 86% of the stolen Ethereum had already been converted to Bitcoin and moved through a web of mixers, decentralized exchanges, and over-the-counter brokers — all within a single month.
This is not the behavior of criminals. This is the behavior of a state.
A Decade of Adaptation: How the Playbook Evolved
Kim Jong-un has reportedly described his cyber units as “an all-purpose sword” alongside nuclear weapons and ballistic missiles. That framing is worth taking seriously. The Reconnaissance General Bureau, North Korea’s primary foreign intelligence service, oversees an estimated 7,000 cyber personnel across multiple specialized clusters. These are state employees working under institutional mandates, with the patience and resources to spend months — sometimes more than half a year — inside a target’s systems before executing a theft. In at least five major exchange hacks, initial investigations mistook the attacks for inside jobs, so thorough was the attackers’ knowledge of internal processes and personnel schedules.
The trajectory of North Korea’s methods tells a story of systematic adaptation. The earliest phase, roughly 2017 to 2019, targeted exchange hot wallets at a time when the industry had grown faster than its security infrastructure. As centralized exchanges hardened their defenses, DPRK actors pivoted to DeFi protocols and cross-chain bridges, exploiting the fundamental weakness of low-validator-count designs — as demonstrated in the $625 million Ronin Bridge hack of 2022, initiated by a fake LinkedIn job offer that led a senior engineer to download a malicious PDF. When institutional DeFi began improving its security posture, the attacks evolved again, this time toward supply chain infiltration, as seen at Bybit.
Now, a new frontier has emerged. The April 2026 Drift Protocol attack — a $285 million theft from a Solana-based exchange — represents something qualitatively different from anything seen before. The operation began six months earlier, when third-party intermediaries with fully constructed professional identities began physically attending crypto conferences and building genuine relationships with protocol contributors. Real capital was deposited to establish credibility. Administrative key access was obtained. A fictitious token was deployed, its price artificially inflated to create fraudulent collateral, and internal withdrawal safeguards were disabled. On April 1, using pre-signed transactions executed through a legitimate Solana primitive, the attackers drained the liquidity pools in minutes.
No purely technical security model can stop an attack that begins with a handshake at a conference.
Beyond Cybersecurity: A Weapons Financing Problem
The laundering infrastructure supporting these operations has reached industrial scale. Stolen funds move rapidly through Tornado Cash, privacy coins, cross-chain bridges, and networks of OTC brokers — some linked to Chinese nationals, others to UAE-based front companies. Despite sanctions, some entities have openly refused to cooperate with freezing efforts. The now-defunct eXch exchange, for instance, declined to block laundering activity following the Bybit hack, reigniting uncomfortable debates about the tension between decentralization ideology and complicity in weapons financing.
That last point deserves emphasis: this is not an abstract cybersecurity problem. UN monitors and US intelligence assessments directly link DPRK cryptocurrency theft to the regime’s nuclear and ballistic missile programs. The connection between a compromised DeFi protocol and a weapons test may seem remote, but according to intelligence agencies, it is direct and documented.
The international response has begun to mature. The Multilateral Sanctions Monitoring Team, launched by the US, South Korea, and Japan, tracks evolving laundering tactics. Stablecoin issuers like Tether have increased proactive address freezing. Regulatory pressure through frameworks like the EU’s MiCA II and US executive orders is forcing platforms toward stricter due diligence. But the scale of the problem continues to outpace the response. In just the first four months of 2026, seven DPRK-attributed incidents totaled nearly $621 million.
The cryptocurrency industry must reckon honestly with what the data shows: North Korea has weaponized its vulnerabilities, and the primary attack surface is not code — it is people. From fake LinkedIn recruiters to malicious npm packages embedded in coding challenges, from trojanized trading applications to in-person conference infiltration, the common thread across nearly a decade of operations is the exploitation of human trust. Technical hardening matters, but without a serious culture of operational security, rigorous identity verification, and genuine zero-trust hiring practices, the industry will continue to subsidize one of the world’s most dangerous weapons programs — one compromised private key at a time.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in crypto, AI, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in crypto, AI, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
