North Korea Has Stolen More Crypto in 18 Months Than Most Nations Hold in Reserves

A nation that manages one of the world’s most profitable cyber operations while struggling to make ends meet is almost unbelievable. After decades of isolation and sanctions, North Korea has subtly turned into a digital pirate state, not the kind that makes headlines for a few weeks before disappearing. Its hackers have transferred almost USD 4 billion in pilfered cryptocurrency over the last 18 months via wallets, bridges, and cross-continental laundering pipelines. According to some accounts, that amount surpasses the foreign exchange reserves of entire countries.

It’s difficult to ignore the pattern. Pyongyang does not operate at a high volume. The figures reveal a more subdued and unnerving tale. 76% of all cryptocurrency hack losses worldwide through the spring of 2026 were caused by two attacks: Drift Protocol in early April and KelpDAO seventeen days later. Only two. Something else caught the attention of TRM Labs investigators: weeks of staging, meticulous protocol signer manipulation, and a final drain carried out in about twelve minutes. Smash-and-grab cybercrime is not typically associated with this level of patience.

The Bybit hack from February of last year continues to have a lasting impact. The biggest cryptocurrency theft in history occurred when USD 1.46 billion disappeared from a cold wallet via a hacked signing interface. Analysts thought that degree of boldness would be unique. It wasn’t. Even though the overall number of incidents hardly changed by December 2025, Chainalysis reported that North Korean operators had stolen USD 2.02 billion during the year, a 51% increase from 2024.

Investigators believe that the way these attacks are conceived has changed. Cautiously, TRM analysts have begun to speculate that AI tools might be advancing into the reconnaissance stage and enhancing social engineering. The outdated strategy of using stolen private keys was not used in the Drift breach. Over the course of several months, it took advantage of people’s trust in addition to the intricate protocol’s technical workings. That’s not opportunism; that’s craft.

The money’s fate is a peculiar chapter in and of itself. The go-to method for turning stolen Ethereum into Bitcoin is now THORChain, a decentralized cross-chain swap network. A laundering autobahn that moves hundreds of millions of dollars every cycle has resulted from the network’s operators’ lack of willingness to freeze suspicious transfers. The remaining KelpDAO proceeds changed course almost instantly after Arbitrum froze USD 75 million. A textbook liquidation, carried out with practiced effectiveness.

As expected, South Korea has responded with the greatest aggression. The policy machinery is in motion with new KYC requirements, targeted sanctions, and intelligence-sharing agreements with Washington and Tokyo. It remains to be seen if it can compete with decentralized finance. Although recommendations have been made by the MSMT, the new sanctions monitoring body that took the place of the dissolved UN Panel of Experts, cross-border enforcement is still, at best, uneven.

Whether the world is witnessing the pinnacle of this campaign or just a turning point is still up for debate. The total amount of theft is currently more than $6 billion. That’s not pocket change for a nation whose total yearly GDP is estimated to be in the low tens of billions; it’s a parallel economy. As you watch this develop, you begin to question whether the openness of cryptocurrency, which was once hailed as its greatest virtue, has actually turned into its most vulnerable aspect.

For now, the hackers don’t seem to care. The wallets continue to move.