$6.75 billion stolen since 2016: CertiK flags North Korea as crypto's biggest theft threat

The May 12 report by CertiK has put every crypto project and exchange on alert after the blockchain security firm pointed out the scale of the damage that North Korean hackers have masterminded since 2016. The results are in, and the picture is grim: an estimated $6.75 billion in cryptocurrency has been lost across 263 incidents. 

Certik’s report landed just days after TRM Labs implicated North Korean actors for about 76% of the money lost to crypto hacks through April 2026. Just as in 2025 when they hit Bybit for $1.5 billion, DPRK actors were named in the KelpDAO and Drift Protocol hacks, two of the largest exploits in 2026.

Most notably, neither of the reports from the security intelligence firms implied that crypto’s most persistent and costly adversary is slowing down. North Korea’s hackers are moving with better precision, causing far more losses in fewer incidents.

North Korean hackers cash bigger payouts on fewer attacks

According to CertiK’s report, North Korean-linked actors were behind just 12% of total crypto theft incidents and roughly 60% of all stolen value in 2025, which came up to $2.06 billion out of $3.4 billion in total losses.

2026 has started out on the same trajectory, with North Korean groups on the hook for 55% ($620.9 million) of the losses that projects have taken this year.

Counting the $285 million Drift Protocol breach on April 1 and the $292 million KelpDAO bridge exploit on April 18 alone, that’s 3% of incident count and 76% of loot stolen in 2026, according to TRM Labs.

North Korean actors are everywhere

Both TRM Labs and Certik cautioned that a big majority of North Korea-linked exploits are not even due to software vulnerabilities. Rather, they exploit people in old-fashioned social-engineering schemes.

“Most major DPRK operations begin with human manipulation, including fake job offers, VC impersonation, and malicious repositories,” CertiK stated in its report.

TRM Labs reported that North Korean proxies held in-person meetings with Drift employees before the breach. Between March 23 and March 30, the attacker exploited Solana’s durable nonce feature to get Drift’s multisig signers to pre-authorize transactions.

Come April 1, the protocol was drained in 31 withdrawals that took roughly 12 minutes.

The $1.5 billion Bybit hack in February 2025, the largest single crypto theft ever recorded, demonstrated that “even institutional-grade multisig wallets can be compromised by targeting trusted third-party infrastructure rather than smart contracts,” according to CertiK. The FBI attributed that attack to North Korea’s TraderTraitor group.

ZachXBT traced $16.58 million in direct crypto payroll payments to North Korean operatives posing as developers between January and July 2025, according to Cryptopolitan’s reporting.

CertiK’s latest report echoed the concern, stating that “DPRK operatives have infiltrated DeFi teams under false identities, in some cases directly enabling the theft of funds from within.”

The KelpDAO breach followed a different playbook. The attackers, TraderTraitor, a Lazarus Group-affiliated operation, exploited a single-verifier design flaw in a LayerZero bridge. After Arbitrum froze roughly $75 million of the stolen funds, the hackers pivoted to laundering through THORChain, converting stolen Ether (ETH) to Bitcoin (BTC), according to TRM Labs.

Since then, LayerZero has denied and issued a public apology, as reported by Cryptopolitan.

North Korean hackers follow similar exit routes

CertiK reported that within one month of the Bybit hack, 86.29% of stolen ETH was converted to Bitcoin using mixers, cross-chain bridges, decentralized exchanges, and over-the-counter brokers.

TRM Labs noted that THORChain processed the majority of proceeds from both the Bybit breach and the KelpDAO hack, “converting hundreds of millions in stolen ETH to Bitcoin with no operator willing to freeze or reject transfers.”

U.S. intelligence assessments have indicated that funds stolen by North Korean cyber operations support the country’s nuclear and ballistic missile programs, according to CertiK.

North Korea has denied involvement. A Foreign Ministry spokesperson called the allegations “absurd slander” spread by U.S. “government organs, reptile media organs and plot-breeding organizations,” according to Cryptopolitan’s May 4 report on Pyongyang’s rebuttal.

If you're reading this, you’re already ahead. Stay there with our newsletter.