North Korea (DPRK) state-affiliated hackers and threat actors were responsible for more than $2 billion in crypto losses in 2025, a 51% year-over-year increase, despite fewer attacks carried out by the group, according to cybersecurity company CrowdStrike.

DPRK hackers represent the “largest” threat group targeting cryptocurrency users, as measured by the dollar amount of assets stolen, according to the company’s 2026 Financial Services Threat Landscape report. Crowdstrike added:

“Stolen proceeds are almost certainly laundered to fund the regime’s military programs. Compared to 2024, DPRK-nexus adversaries conducted fewer campaigns but achieved significantly higher returns by prioritizing high-value targets.”

The DPRK hackers and scammers focused on targeting Web3 projects and cryptocurrency exchanges because the stolen funds could be “cashed out” and transferred with a greater degree of anonymity than in the traditional financial system, CrowdStrike said.

The countries most targeted by DPRK hackers. Source: CrowdStrike

The report highlights the growing threat of state-affiliated hacking groups targeting cryptocurrency users and industry companies through cybersecurity threats and social engineering scams designed to steal funds and sensitive information.

Related: US sentences ‘laptop farmers’ tied to North Korean IT worker scheme

North Korean hackers infiltrate crypto projects online and offline

In April, the Ethereum Foundation, the organization that oversees development of the Ethereum ecosystem, identified 100 DPRK-backed hackers and threat actors who infiltrated crypto projects. 

Typically, these threat actors are remote hires; however, in April 2025, the Drift Protocol decentralized crypto exchange was infiltrated and compromised by DPRK-affiliated technology workers, who met with the Drift Protocol development team.

The Drift Protocol team said that they met the threat actors during a “major” cryptocurrency industry conference and built a working relationship with them over six months.

Source: Drift Protocol

During the collaboration, the hackers deployed malware, which compromised Drift Protocol developer machines and caused $280 million in losses. 

“It is important to note that the individuals who appeared in person were not North Korean nationals,” the Drift team said, adding, “DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building.”

During that same month, Onchain sleuth ZachXBT also documented a group of North Korean information technology (IT) workers who were making $1 million per month working at technology companies.

Magazine: North Korea denies crypto hacks, Upbit’s bank tests Ripple: Asia Express

TLDR

• The Senate Banking Committee advanced the Clarity Act in a 15-9 vote with two Democrats joining Republicans.
• The bill would split crypto oversight between the SEC and the CFTC and set rules for exchanges and brokers.
• Lawmakers rejected several Democratic amendments related to sanctions, ethics, and anti-money laundering measures.
• A DeFi safe harbor amendment passed 18-6 after support from a bloc of Democrats and Republicans.
• The Clarity Act will merge with the Agriculture Committee version before heading to the full Senate.

The Senate Banking Committee approved the Digital Asset Market Clarity Act in a 15-9 vote on Thursday. Sens. Ruben Gallego and Angela Alsobrooks joined 13 Republicans to move the bill forward. The measure now heads toward a merger with the Senate Agriculture Committee text before a floor vote.

Clarity Act Clears Committee With Bipartisan Support

Lawmakers advanced the Clarity Act after months of cross-party negotiations and revisions. Chair Tim Scott said the bill ends a “regulatory gray zone” for crypto firms. He added that the framework would protect consumers and keep innovation in the United States.

Sen. Cynthia Lummis called the proposal “the hardest piece of legislation” of her career. She said the bill fits new digital assets into an older regulatory system. The text splits oversight between the SEC and the CFTC and sets rules for exchanges, brokers, and custodians.

The committee rejected several Democratic amendments during the markup session. Sen. Elizabeth Warren opposed the bill and called it “a bill written by the crypto industry.” She argued that the draft weakens securities law protections that date to 1929.

Warren also warned that the bill allows banks to increase crypto exposure. She linked that risk to practices before the 2008 financial crisis. Republicans voted down her amendments in 11-13 votes.

Ethics, Sanctions, and DeFi Debates Shape Vote

Democrats raised concerns about illicit finance and stablecoins during the hearing. Sen. Jack Reed said Iranian actors use stablecoins to buy drone components. He sought authority for regulators to block foreign illicit stablecoin flows, but the amendment failed.

Sen. Chris Van Hollen cited estimates that over $150 billion moved through illicit wallets last year. He proposed penalties for releasing DeFi protocols designed for money laundering. Republicans rejected his measure and said current criminal laws already cover such conduct.

Ethics issues tied to President Donald Trump also shaped debate. Van Hollen proposed barring elected officials from crypto business ties. Sen. Bernie Moreno opposed the amendment and said it belonged in the Judiciary Committee, and the panel defeated it 11-13.

A key vote came on Lummis Amendment 122 regarding DeFi safe harbors. The committee adopted the amendment 18-6 after a technical revision. Warner, Cortez Masto, and Alsobrooks joined Republicans to support the compromise language.

Earlier, Chair Scott limited the number of amendments under committee rules. He later reinstated selected proposals to secure bipartisan backing. By the final vote, Gallego and Alsobrooks provided the Democratic support needed for the 15-9 outcome.

North Korea’s state-affiliated hackers intensified their footprint in the crypto ecosystem during 2025, delivering losses exceeding $2 billion and marking a 51% year-over-year rise, according to CrowdStrike’s 2026 Financial Services Threat Landscape Report. The findings position DPRK-linked actors as the largest threat by the dollar value of assets stolen, underscoring a shift toward high-value targets and increasingly sophisticated operational security.

According to the report, the DPRK threat network pursued fewer campaigns than in previous years but achieved substantially higher returns by focusing on high-value targets and tightening the chain from theft to cash-out. The stolen proceeds are believed to be laundered to fund the regime’s military programs, a pattern CrowdStrike notes as a persistent objective of these actors. The group’s emphasis on centralized, high-impact operations contrasted with a broader spread of lower-value incidents seen in earlier years.

Key takeaways

• DPRK state-affiliated actors caused more than $2 billion in crypto losses in 2025, up 51% from the previous year, per CrowdStrike’s 2026 report.
• The DPRK remains the largest threat group by the dollar value stolen, reflecting a strategic pivot toward high-value targets and efficient monetization.
• Web3 projects and cryptocurrency exchanges were favored targets due to easier liquidity and greater anonymity when cashing out, according to the threat landscape findings.
• Stolen funds are likely laundered to fund military programs, with fewer campaigns delivering markedly higher returns, signaling a shift in attack economics.
• Infiltration and social engineering efforts extend beyond cyberspace, with offline touchpoints and third-party intermediaries playing a role in more sophisticated operations.

Escalating losses and a high-value playbook

CrowdStrike’s assessment highlights a paradox at work: even as the number of campaigns declined, the financial impact surged because the group prioritized larger, more lucrative targets. The firm notes that stolen assets are largely funneled into channels that maximize anonymity and liquidity, enabling quicker conversion to usable funds while evading traditional financial controls. The recurrence of such patterns suggests a deliberate shift to maximize value per operation rather than sheer volume of incidents.

“Stolen proceeds are almost certainly laundered to fund the regime’s military programs. Compared to 2024, DPRK-nexus adversaries conducted fewer campaigns but achieved significantly higher returns by prioritizing high-value targets.”

These conclusions come as the threat landscape signals a maturation of DPRK-linked operations, with investigators pointing to an expanding toolkit that blends traditional intrusion with social engineering and supply-chain-style compromises. The report also emphasizes that the group’s willingness to exploit weaknesses in crypto firms—ranging from project teams to exchanges—illustrates a broad targeting strategy that aims to maximize both access and monetization opportunities.

Why Web3 and exchanges remain focal points

Wednesday’s security discourse around DPRK actors centers on the economics of crypto theft. The report notes that high-value wallets and centralized exchanges offer deeper liquidity and faster exit routes, which reduces the time funds spend exposed to tracing and seizure risks. In this sense, the attraction of Web3 projects and crypto platforms is not merely about theft but about the ability to convert stolen assets into spendable currency with less friction than traditional financial rails.

Beyond the direct thefts, the broader ecosystem should watch for evolving social engineering strategies designed to exploit the trust networks around developing protocols and governance processes. As the threat model grows more sophisticated, the importance of robust security practices—such as rigorous vendor risk management, code review, and phishing-resistant authentication—takes on renewed urgency for builders and operators across the crypto space.

Infiltration, online and offline: notable incidents

In April, the Ethereum Foundation, which oversees Ethereum’s development, publicly flagged the scale of DPRK involvement in Web3 intrusions, identifying a substantial cohort of DPRK-backed operatives infiltrating various crypto projects. The implication is that the group maintains persistent, multi-pronged access to target ecosystems, combining remote intrusions with on-the-ground networking to extend influence.

One widely cited episode involves Drift Protocol, a decentralized exchange, where attackers purportedly infiltrated and compromised developer environments after forming relationships with the project’s team. The Drift Protocol team reported that the attackers were introduced to the project during a prominent crypto industry conference and cultivated a working relationship over six months. During this engagement, malware was deployed against developer machines, contributing to approximately $280 million in losses. Drift’s leadership stressed that the individuals who appeared in person were not North Korean nationals, but noted that DPRK actors often rely on third-party intermediaries to facilitate face-to-face contacts.

The broader narrative around offline reconnaissance and in-person recruitment is reinforced by separate industry observations, including reports of North Korean IT workers engaging with technology companies and leveraging legitimate employment channels to facilitate illicit activities. Researchers such as ZachXBT have highlighted cases where DPRK-linked IT workers earned substantial monthly sums in related schemes, underscoring the cross-cutting nature of the threat across online and offline environments.

For investors, builders, and operators, these incidents signal an ongoing arms race between threat actors and the security teams safeguarding crypto platforms. The Drift episode, in particular, demonstrates how attacker footholds can be planted through trusted development channels, turning core software supply chains into vectors for large losses. The broader warning is clear: even seemingly trusted community interactions and third-party engagements can become risk surfaces if due diligence and security hygiene are not robustly maintained.

What comes next for the market and defense strategy

As the threat landscape crystallizes around DPRK-backed operations, market participants should expect continued emphasis on high-value theft and sophisticated monetization techniques. Regulators, security firms, and platform teams are likely to double down on governance controls, supply-chain security, and enhanced monitoring of on-chain flows associated with known DPRK-linked wallets and entities. The convergence of cyber intrusions, social engineering, and high-ROI theft strategies points to a persistent, dynamic risk that will test the resilience of crypto infrastructure and compliance programs alike.

Going forward, observers will be watching for more granular disclosures from threat intelligence firms and platform operators about the operational patterns of DPRK actors, including any new countermeasures that successfully disrupt the most lucrative channels. The Ethereum Foundation’s identification of hundreds of DPRK-backed operatives and Drift Protocol’s post-incident reflections may foreshadow a broader push for transparency and proactive defense across the ecosystem. For readers, the key question remains how quickly the industry can translate these insights into concrete security improvements that reduce both the frequency and impact of future breaches.

As the year unfolds, the crypto community will need to monitor both governance responses and technical safeguards. Investors and users should maintain vigilance around project security audits, multi-party computation protections, and robust incident-response planning—areas where the cost of inaction can be measured in millions of dollars along with potentially lasting reputational damage.