76% of stolen crypto in 2026 is now in North Korea

The TRM Labs number is the headline: of all the cryptocurrency stolen so far in 2026, 76% is now sitting in DPRK-controlled wallets. In 2025 the figure was around two-thirds. For most of the previous decade it hovered around a third. The line is going up steeply, and not for the obvious reason.

North Korea is not carrying out 76% of the attacks. It is carrying out a small number of the most lucrative ones. Three heists between February 2025 and April 2026 account for the bulk of the picture: $1.5 billion lifted from ByBit by the FBI-tracked cluster TraderTraitor (Jade Sleet, UNC4899); $285 million taken from Drift, a leveraged-trading platform, by Citrine Sleet (AppleJeus, Labyrinth Chollima, UNC4736) on 1 April 2026; and another $292 million from Kelp, a DeFi staking platform, by TraderTraitor on 18 April. Drift and Kelp together: $575 million in eighteen days, taken by two separate DPRK clusters.

The attack chains varied. The shape did not. Each one was a long, patient social-engineering operation built around fake recruiters and fake job offers, ending with a developer running malicious code or signing a poisoned transaction inside a system whose governance could not react fast enough to undo it. Bradley Smith of BeyondTrust, quoted in the Dark Reading piece, names the structural problem accurately: DeFi protocols are handling nation-state-scale value with startup-scale security architecture, and most of these platforms are deliberately designed so that a transaction, once executed, cannot be reversed.

What has changed is that the social-engineering ramp has got cheaper. TRM cites a 500% increase in AI-assisted scams over the past year. The constraints that historically slowed DPRK operators — second-language English, the time required to build a credible persona, the cost of personalising a phishing payload one target at a time — have collapsed almost entirely. A single state operator can now run convincing first-contact conversations with hundreds of targets in parallel, and the operational discipline already exists to follow each one through to a signed transaction.

For defenders the lesson is not really about crypto. The DPRK’s playbook here — recruit, social-engineer, get a developer to execute, exfiltrate before the network can react — is the same playbook that works against any high-trust internal estate. The reason it pays off so well in DeFi is that the systems being attacked were architected for permissionless speed, not for trust verification. They cannot pause, claw back, or freeze a transaction once it settles on-chain. That property is specific to the asset class. The reconnaissance, persona-building and access tradecraft is not.

The defender lens, then, is tedious but unavoidable. Identity boundaries around developers and high-privilege engineers. Hard separation between developer machines and any infrastructure that holds signing keys or production credentials. Detection on the long-tail social-engineering vectors that don’t show up in email gateways — LinkedIn DMs, Telegram, recruiter calls, fake interview platforms. And an honest acceptance that the AI-assisted phishing curve is still in its first innings; the templates that look convincing today will look crude in a year.

The DPRK regime’s crypto programme is, at this point, the most successful state-sponsored fundraising operation in modern history, funding a nuclear weapons programme via wallets that no clearing bank can freeze. Two private companies losing $292M apiece in eighteen days are, in financial terms, recoverable as accounting events. They are not recoverable as geopolitical ones.