CrowdStrike: DPRK-linked crypto theft topped $2B in 2025 despite fewer campaigns
The firm estimates losses rose 51% year over year as attackers prioritized higher-value exchange and Web3 targets.
CrowdStrike estimates North Korea-linked threat actors drove more than $2 billion in cryptocurrency losses in 2025, up 51% year over year. The firm says the jump came even as DPRK-nexus adversaries ran fewer campaigns than in 2024 by concentrating on higher-value targets and deeper infiltration tactics.
Key Takeaways
- DPRK state-affiliated hackers and aligned threat actors were tied to more than $2 billion in crypto losses in 2025, a 51% year-over-year increase.
- By total dollar value stolen, CrowdStrike characterizes DPRK hackers as the “largest” threat group targeting cryptocurrency users.
- Fewer campaigns still produced higher returns versus 2024, pointing to a pivot toward high-value targets rather than higher attack volume.
- Drift Protocol said malware on developer machines led to $280 million in losses after DPRK-affiliated tech workers spent six months building trust that began at a “major” industry conference.
CrowdStrike’s $2B+ DPRK Crypto-Theft Tally for 2025
CrowdStrike’s 2026 Financial Services Threat Landscape report pegs 2025 cryptocurrency losses tied to DPRK state-affiliated hackers and threat actors at more than $2 billion, up 51% year over year.
On CrowdStrike’s framing, this is not a broad-based rise in background noise. The firm labels DPRK hackers the “largest” threat group targeting cryptocurrency users when measured by the dollar amount stolen, putting one state-linked cluster at the center of the loss distribution.
CrowdStrike also links the proceeds to state objectives, writing: “Stolen proceeds are almost certainly laundered to fund the regime’s military programs.”
Fewer Campaigns, Bigger Hauls: The Shift Toward High-Value Targets
The most tradable detail in the report is the efficiency shift. CrowdStrike’s assessment is explicit: “Compared to 2024, DPRK-nexus adversaries conducted fewer campaigns but achieved significantly higher returns by prioritizing high-value targets.”
That combination implies concentration of tail-risk. If fewer operations can still drive a higher annual loss number, the market impact is less about constant low-grade exploit flow and more about occasional, high-conviction hits that can stress venues, freeze withdrawals, or force emergency risk actions.
For traders, that’s a reminder that hack risk expresses as liquidity risk. When the target is high-value infrastructure, the second-order effects tend to show up in spreads, settlement friction, and counterparty haircuts before they show up in any single token chart.
Why Exchanges and Web3 Projects Sit in the Crosshairs
CrowdStrike’s rationale for target selection is straightforward. The firm says DPRK actors focused on Web3 projects and cryptocurrency exchanges because stolen funds can be “cashed out” and transferred with “a greater degree of anonymity than in the traditional financial system.”
The report describes the threat as “a myriad of small hacker groups deploying malware and executing social engineering scams.” In practice, that blend matters because it widens the attack surface beyond smart contract bugs. Social engineering is human manipulation to gain access or information. Malware is the tooling that turns that access into credential theft, endpoint compromise, and persistence.
CrowdStrike also references a chart of “the countries most targeted by DPRK hackers,” but the excerpt does not list which countries those were.
Signals to Watch for DPRK crypto theft losses jump in
New disclosures from major exchanges and Web3 projects are the cleanest tell, especially incidents involving developer endpoint compromise, insider access, or contractor permissions that bypass onchain defenses.
More specificity from threat intelligence on which countries or regions were “most targeted” would help risk teams map exposure, since the report excerpt references a chart without naming jurisdictions.
The excerpt also notes that the Ethereum Foundation identified 100 DPRK-backed infiltrators “in April,” but the year is not specified. Clarifying that timing matters because it determines how current the remote-hire infiltration pattern is.
Finally, large, sudden outflows from exchange hot wallets or protocol treasuries remain the market-facing signal consistent with the “fewer campaigns, higher returns” pattern.
How This Changes the Risk Map for Traders in 2026
I treat this as a market structure story, not a headline-count story. CrowdStrike is describing a world where fewer operations can still print a bigger annual loss number, which is exactly how tail-risk concentrates. The threshold that matters is whether the next wave of incidents clusters around a handful of high-value venues, because that’s when liquidity and trust get repriced across the stack.
The real test is whether exchange and major Web3 counterparty risk keeps showing up through the same cash-out logic CrowdStrike highlights. If that holds, the setup starts to look structural rather than narrative-driven, and operational security becomes a first-order input into where liquidity is willing to sit and at what spread.
