Two back-to-back nine-figure heists, a new macOS campaign targeting executives, and a laundering pipeline that has quietly adapted to every sanctions move the U.S. can throw at it.
North Korea's crypto hacking program is no longer a curiosity. It is, by the numbers, the most productive illicit-finance operation on the planet — and its tradecraft is improving faster than the industry's defenses. Chainalysis puts cumulative DPRK-linked crypto theft at $6.75 billion between 2019 and the end of 2025, led by last year's record $2.02 billion haul.
| Year | Target | Loss | Laundering route |
|---|---|---|---|
| 2022 | Ronin Bridge | $624M | Tornado Cash → Bitcoin |
| 2023 | Atomic Wallet | $100M | Sinbad.io → exchanges |
| 2024 | DMM Bitcoin | $308M | THORChain → OTC desks |
| 2025 | Bybit | ~$1.5B | eXch + THORChain + Chinese OTC |
| 2026 YTD | Drift + Kelp DAO | ~$567M | THORChain + eXch + cross-chain hops |
"This is now an industrial-scale operation. It has specialization, pipelines, long-horizon planning, tool development, and a laundering infrastructure that has been resilient to three successive rounds of sanctions. There is no equivalent adversary in any other cybercrime category."
— Nick Carlsen, former FBI analyst, TRM Labs DPRK ResearchThe capability stack has expanded rapidly. In 2022, Lazarus mostly relied on compromised validator keys and poisoned software supply chains. By late 2024, the group had pivoted to social engineering: fake recruiters and investors approaching engineers, followed by staged technical challenges that smuggled malware onto developer machines. That playbook set up the February 2025 Bybit heist.
The April 2026 operations extend the pattern. Drift Protocol's post-mortem describes months of staged investor-diligence conversations that ultimately extracted pre-signed admin-key authorizations from multiple engineers. Kelp DAO's post-mortem details an off-chain infrastructure compromise of two LayerZero DVN RPC nodes. In both cases, the attackers controlled access long before they executed — a luxury earlier generations of crypto criminals never possessed.
Both the Drift and Kelp DAO exploits share a structural vulnerability that goes beyond code quality: there were no automated controls evaluating transactions before they were signed and broadcast. A policy engine capable of requiring multi-party human authorization for admin-key modifications, oracle registration events, or vault-limit changes would have created intervention windows in both attacks. Web3Firewall's pre-signature transaction monitoring — which evaluates over 100 risk signals before a transaction reaches the blockchain — is specifically designed to flag the pattern of freshly created tokens registered against custom price feeds, and to block vault drain sequences that exceed configurable thresholds. The technology to prevent both attacks existed. The protocols simply were not running it.
After the U.S. sanctioned Tornado Cash and Sinbad.io, DPRK operators shifted laundering flows to cross-chain bridges (primarily THORChain) and exchange-adjacent services like eXch. According to TRM Labs data, bridge-related theft laundering rose 66% between 2023 and 2025, while mixer-related activity fell 37%.
Real crypto news, market data, and analysis — free to your inbox every weekday at 7am.
No spam. Unsubscribe anytime. Sent to admin@coinhubtoday.com
The definitive source for cryptocurrency news, market data, press releases, and product reviews — trusted by professionals worldwide.
CoinHub Today is an independent media organisation and does not provide investment, financial, or legal advice. All content is for educational purposes only. Cryptocurrency investments involve substantial risk. Past performance is not indicative of future results. Always consult a qualified financial adviser before investing.