February 21, 2026 marks the first anniversary of the largest confirmed cryptocurrency theft in history. On that day in 2025, hackers drained roughly $1.46 billion in digital assets from Dubai-based exchange ByBit. Blockchain intelligence firm Elliptic was among the first to link the attack to North Korean state actors — a conclusion later validated by the FBI. Far from being a one-off triumph, the incident has proven to be merely a milestone in an escalating campaign.
According to Elliptic’s latest analysis, North Korean-linked groups stole a record $2 billion in cryptocurrency throughout 2025, pushing their known cumulative haul past $6 billion.
These funds are widely understood to support the regime’s nuclear and missile programs.
The pace has not eased in 2026.
Elliptic recorded twice as many exploits in January 2026 compared with the same month the previous year, demonstrating that the operation remains in high gear despite heightened industry awareness.
More than $1 billion of the stolen ByBit funds were laundered within the first six months after the breach, primarily through suspected Chinese over-the-counter trading desks.
Attackers employed sophisticated techniques including strategic refund addresses, the minting of valueless tokens, and unusually broad distribution across multiple mixing services.
By the one-year mark, the overwhelming majority of the haul had been successfully processed and integrated into the legitimate financial system.
Social engineering remains the dominant attack method.
Elliptic identified active campaigns — internally labeled “DangerousPassword” and “Contagious Interview” — that have already generated at least $37.5 million in early 2026.
In the first, operatives compromise legitimate social-media accounts, reference vague real-world connections such as past conference encounters, and lure targets into video calls.
A fabricated “audio glitch” then prompts victims to run a malicious command-line script disguised as a software development kit, which steals private keys and seed phrases.
The second campaign poses as high-paying remote developer roles, requiring candidates to download code from seemingly reputable repositories that install malware with the same objective.
Beyond direct infiltration of existing projects, Elliptic’s research suggests North Korean operatives may now be creating entire fraudulent platforms to lure victims.
A striking case emerged on January 1, 2026, when Tenexium.io — a purported decentralized margin-trading protocol built on the Bittensor (TAO) network — suddenly went offline following $2.5 million in suspicious outflows from its treasury wallet.
The project, registered in September 2025 with minimal online presence, showed strong indicators of DPRK involvement through persona analysis and on-chain tracing.
Funds displayed characteristic cross-chain movement patterns and laundering paths previously seen in other regime-linked incidents.
This shift from embedding in legitimate teams to building and then draining their own projects represents a concerning tactical evolution.
The broader message from Elliptic is seemingly quite clear: the threat is sustained, professionalized, and increasingly difficult to detect.
Operatives leverage artificial intelligence to polish phishing language and overcome linguistic barriers, while the remote, pseudonymous nature of crypto development makes vetting extraordinarily challenging.
Developers, contributors, and even entire ecosystems remain at risk.
As the industry marks the ByBit incident, Elliptic urges platforms and users to adopt advanced blockchain analytics tools capable of screening funds across more than 60 networks and visualizing complex laundering flows. Without proactive defense, North Korea’s crypto revenue stream — and the geopolitical dangers it finances — will continue to grow unchecked.