Blockchain security firm CertiK has released its Skynet DPRK Crypto Threats Report, offering a rather concerning look at how North Korean-linked actors have turned digital asset theft into a streamlined, high-yield revenue engine for the regime. Covering nearly a decade of activity through early 2026, the analysis reveals that DPRK-affiliated hackers have extracted an estimated $6.75 billion across 263 documented incidents.
According to the insights from CertiK, the true total is almost certainly higher, as scores of smaller strikes against retail users and early-stage projects continue to fly under the radar.
The numbers paint a picture of surgical efficiency rather than volume. In 2025, these actors were behind just 12 percent of all recorded crypto incidents (79 out of 656) yet claimed $2.06 billion—roughly 60 percent of the year’s entire $3.4 billion in losses.
The trend has carried into 2026: of roughly $1.1 billion lost across 185 incidents so far this year, approximately $621 million (55 percent) traces back to DPRK operations. A single $291 million breach of KelpDAO alone helped drive that share.
What sets these campaigns apart is their scale and precision. The February 2025 Bybit exploit, valued at $1.5 billion, remains the largest single crypto theft in history.
It was joined by the $625 million Ronin network breach and twin strikes on the Drift protocol totaling $625 million and $285 million.
Rather than hunting for smart-contract bugs, operators have pivoted to human and infrastructure weaknesses.
Social engineering—fake job offers, impersonated venture capitalists, and poisoned code repositories—remains the preferred entry point.
Supply chain attacks have grown especially lethal; the Bybit case showed how even institutional-grade multisig wallets can fall when trusted third-party services are compromised.
Infiltration of DeFi development teams by operatives using false identities has also become a recurring tactic.
Once inside, the laundering machine operates at industrial speed. In the Bybit incident, 86.29 percent of the stolen Ethereum was converted to Bitcoin within a month using a sophisticated pipeline of mixers, cross-chain bridges, decentralized exchanges, and over-the-counter brokers. This rapid, layered obfuscation makes recovery nearly impossible.
Intelligence assessments cited in the report leave little doubt about the ultimate destination of these funds: North Korea’s nuclear and ballistic-missile programs.
What began as opportunistic cybercrime has evolved into a core pillar of state financing. CertiK’s Skynet platform, which powers the ongoing monitoring of on-chain behavior, continues to map these evolving patterns in real time.
CertiK has concluded that the takeaway for the industry is quite clear now. As DPRK-linked groups refine their focus on high-value targets and human vulnerabilities, proper defenses must extend far beyond code audits to include rigorous vetting of people, partners, and third-party infrastructure.
With mega-heists growing larger and laundering pipelines more refined, the Skynet research report underscores an uncomfortable reality—the crypto ecosystem is now a battleground in a state-sponsored financial campaign that shows no signs of slowing.