Cryptocurrency theft has become a huge source of state revenue for North Korea.

Between 2016 and early 2026, threat actors linked to the Democratic People’s Republic of Korea (DPRK) have stolen ~$6.75 billion across 263 documented incidents, security services provider CertiK estimated in a report published Tuesday morning.

The data likely falls short of the actual magnitude, as hundreds of smaller exploits against individuals and early-stage projects remain underreported.

“DPRK actors have consistently targeted humans and supply chain weaknesses rather than smart contract code vulnerabilities,” the report stated. “Across nearly a decade of operations, their primary attack vector has rarely been code. It has almost always been people.”

For example, North Korea’s more than $270 million exploit on solana-based protocol Drift was six months in the making. It involved Drift contributors physically meeting in multiple industry conferences across several countries with people claiming to be part of a quantitative trading firm.

DPRK actors who siphoned $625 million from the Ronin network in 2022 also used a social element: an exploiter impersonated a job recruiter on LinkedIn and provided a fake offer to an employee at Sky Mavis, the firm backing Ronin, through a PDF infected with malicious spyware.

“They are state employees executing a strategic mandate with the full backing of a nuclear-armed government. Their persistence, resources, and willingness to invest months in a single operation reflect institutional incentives that no criminal enterprise can match,” the report added.

“The fundamental challenge remains: North Korea has weaponized cryptocurrency theft as an essential revenue stream for regime survival. Until that incentive structure changes, the threat will persist and evolve.”

Last month, the decentralized finance ecosystem saw 28 hacks, the highest monthly number of exploits ever, totaling $635.2 million, with the largest coming from ethereum-native protocol KelpDAO.