North Korean threat actors control 76 percent of cryptocurrency stolen globally in 2026, according to Dark Reading reporting. The actors execute heists at weekly or monthly intervals, targeting exchanges and custodial wallets through coordinated campaigns. Evidence suggests artificial intelligence tools assist in reconnaissance, social engineering, and exploit development, accelerating the pace and scale of theft operations.
Defenders tracking these campaigns report consistent patterns. Attackers exploit unpatched vulnerabilities in exchange infrastructure, deploy credential harvesting attacks against employees, and maintain persistent access through supply chain compromises. The stolen funds flow through layered mixers and cross-chain bridges before reaching North Korean-controlled wallets, complicating asset recovery.
The volume marks a departure from previous years. Analysts attribute the increase to three factors. First, North Korean programs formalized cryptocurrency theft as a state-revenue operation. Second, recruitment of skilled developers from Russia and Eastern Europe expanded technical capacity. Third, AI-assisted tooling reduced manual workload per campaign, enabling parallel attacks.
Organizations holding significant cryptocurrency should assume targeting. Implement hardware wallet custody, enforce MFA on all exchange accounts, monitor blockchain transaction patterns for known mixing addresses, and segment exchange infrastructure from general networks.