North Korea has laundered billions of dollars stolen in cryptocurrency hacks and is now moving toward physical infiltration tactics, according to a new report from blockchain security firm CertiK. The warning signals a significant escalation in how the regime targets the crypto industry — one that goes beyond remote exploits and into the realm of in-person operations.
What the report says
CertiK’s analysis, released this week, details how North Korean-linked groups have moved vast sums of stolen crypto through mixers, bridges, and exchanges. But the bigger takeaway is the shift in method. The firm says Pyongyang is increasingly relying on physical infiltration — planting operatives inside crypto firms, bribing employees, or coercing insiders — to bypass digital defenses. The report doesn’t name specific incidents, but the pattern is clear: the regime is adapting as the industry tightens its cybersecurity.
The timing isn’t coincidental. Crypto exchanges and decentralized finance platforms have spent the last two years shoring up code audits and bug bounty programs. That made pure remote hacking harder. So North Korea is going after the human layer instead. If a state actor can place someone inside a target’s office — or persuade a staffer to turn — the best smart-contract review in the world won’t stop the leak. CertiK’s report is a reminder that crypto security can’t end at the command line.
What comes next
CertiK hasn’t published its full methodology or a list of affected firms, but the implication is that crypto companies need to start thinking like banks — vetting hires, monitoring physical access, and treating internal data like a crown jewel. Expect regulators to take notice. The U.S. Treasury has already sanctioned crypto wallets tied to North Korea. A shift to physical tactics could prompt new rules on employee background checks or mandatory security protocols for exchanges holding large amounts.
