Why North Korea keeps stealing billions in crypto — out in the open

As North Korea's infiltration tactics grow more sophisticated, security experts say the crypto industry needs to understand what sets the regime apart from every other state-backed hacker — and why that difference makes it a dangerous threat to the ecosystem.

What to know:

• North Korea's crypto theft is a matter of economic survival in a way it simply isn't for Russia or Iran — both of which still have economies, trading partners, and goods to move. For Pyongyang, crypto isn't a payment rail. It's a replacement for a sanctioned-out economy.
• That existential motive is what makes North Korea uniquely dangerous to crypto specifically: it brings intelligence-agency patience and state resources to what is functionally organized financial crime, targeting the ecosystem itself rather than using it as a means to a geopolitical end.

North Korea's six-month infiltration campaign at Drift rattled a crypto industry already reeling from billion-dollar exploits.

But as the news settled, a bigger question came into focus: why does North Korea keep coming back to crypto in the first place, and why does its approach look so different from every other state-backed hacking operation on the planet?

The short answer, according to security experts, is that crypto helps give the regime a revenue stream and keep them afloat.

"North Korea doesn't have the luxury of patience," said Dave Schwed, chief operating officer at SVRN and the founder of the cybersecurity masters program at Yeshiva University. "They're under comprehensive international sanctions and they need hard currency to fund weapons programs. The UN and multiple intelligence agencies have confirmed that crypto theft is a primary funding mechanism for their nuclear and ballistic missile development."

That urgency explains a dynamic that has long puzzled investigators: why North Korean hackers carry out large-scale, traceable heists on public blockchains instead of quietly using crypto to evade sanctions the way other state actors do.

The answer, Schwed argues, is structural. Russia still has an economy: oil, gas, commodity exports, and trading partners willing to use workarounds. It needs crypto as a payment rail, but not for much else. Iran, too, has goods to move — sanctioned oil, proxy financing networks, willing intermediaries across the Middle East. North Korea has almost nothing left to sell.

"Their exports are almost entirely sanctioned. They don't have a functioning economy that needs a payment rail. They need direct revenue," Schwed said. "Crypto theft gives them immediate access to liquid value, globally, without needing a counterparty willing to do business with them."

That distinction — crypto as infrastructure versus crypto as a target — is what separates North Korea not just from Russia, but from Iran as well. While Russia routes money through crypto to work around sanctions, and Iran uses it to fund proxy networks across the Middle East, North Korea is running something closer to a state-sponsored heist operation.

"Their targets are exchanges, wallet providers, DeFi protocols and the individual engineers and founders who have signing authority or infrastructure access," said Alexander Urbelis, chief information security officer at ENS Labs and a professor of cybersecurity at King’s College London. "The victim is whoever holds the keys or access to the infrastructure that holds the keys."

Russia and Iran, by comparison, treat crypto as incidental, a means to broader geopolitical ends.

"Russia targets elections, energy infrastructure and government systems. Iran goes after dissidents and regional adversaries," Urbelis said. "When either of them touches crypto, it's to move money, not to steal it from the ecosystem."

That singular focus has pushed North Korean operatives to adopt tactics more commonly associated with intelligence agencies than criminal hackers: months-long relationship building, fabricated identities and supply chain infiltration.

The Drift campaign is only the most recent example.

"You're not defending against a phishing email from a random scammer," Urbelis said. "You're defending against someone who spent six months building a relationship specifically to compromise one person who has the access you need to protect."

Crypto's own architecture makes it a uniquely attractive hunting ground. In traditional finance, even successful hacks run into friction in the form of compliance checks, correspondent bank checks, settlement delays and the possibility of reversing fraudulent transfers. When North Korea's hackers pulled off the Bangladesh Bank robbery in 2016, the heist took days to process and most of the funds were eventually recovered or blocked. In crypto, none of those safeguards exist at the protocol level.

"Once a transaction is signed and confirmed, it's final," Urbelis said. The Bybit exploit earlier last year moved $1.5 billion in roughly 30 minutes, a pace and scale that would be nearly impossible in the traditional banking system.

That finality fundamentally changes the security calculus. In banking, a reasonable defense can be built across prevention, detection and response, because there's always a window to freeze funds or reverse a wire. In crypto, that window barely exists, which means stopping an attack before it happens isn't just preferable — it's essentially the only option.

And while banks operate under decades of regulatory guidance and audit requirements, many crypto projects are still improvising — often prioritizing speed and innovation over governance and controls.

That gap creates an environment where even sophisticated teams can be vulnerable, particularly to the kind of long-term infiltration tactics North Korea has been refining.

"This is the hardest operational security problem in crypto right now," Urbelis said of the challenge of vetting against sophisticated fake identities and third-party intermediaries. "I don't think the industry has solved it."

Read more: How North Korea's 6-month long secret espionage program has crypto community rethinking security

More For You

Most crypto privacy models weaken as blockchain data grows. Encryption-based models like Zcash strengthen. CoinDesk Research maps the five privacy approaches and examines the widening gap.

Why it matters:

As blockchain adoption scales, the metadata available to machine learning models scales with it. Obfuscation-based privacy approaches are structurally degrading as a result. This report provides a comprehensive comparison of all five major crypto privacy architectures and a framework for evaluating which models remain durable as AI capabilities improve.

More For You

The proposal would move block building away from individual validators, create a revenue entity called FIRE to buy and burn FLR, and reduce annual token inflation to 3%.

What to know:

• Flare proposed a governance overhaul to capture maximal extractable value (MEV) at the protocol level and redirect it from external searchers and builders to the network itself.
• The plan introduces a three-stage redesign of block building and a new Flare Income Reinvestment Entity (FIRE) to channel MEV and other protocol...

XRP drops to $1.33 as bitcoin weakness pulls down majors

4 hours ago

Bitcoin and other cryptos fall as U.S., Iranian negotiators fail to reach war resolution

7 hours ago

Musk’s SpaceX holds $603 million in bitcoin despite $5 billion loss stemming from xAI

14 hours ago

Bitcoin signals potential seller exhaustion as realized losses decline

16 hours ago

The crypto honeymoon is over for now as analysts warn of a major first-quarter profit squeeze

17 hours ago

$1.6 billion Ether Machine SPAC deal collapses over unfavorable market

17 hours ago

Bhutan has sold 70% of its bitcoin in 18 months. It may have stopped BTC mining too.

Apr 11, 2026

Crypto Clarity bill has 30% chance of passing this year, Wintermute’s Hammond says

20 hours ago

The bitcoin market is splitting in two. Here's who is buying and selling amid the war

21 hours ago

Federal judge blocks Arizona from bringing criminal charges against Kalshi

Apr 10, 2026

Trump-backed WLFI token drops 12% to record lows after team defends multi-million lending position

Apr 10, 2026

Crypto perpetuals predict the direction of Wall Street’s Monday open with 89% accuracy, data shows

19 hours ago