North Korea’s Foreign Ministry this week blasted accusations of state-backed cybercrime as “absurd slander,” rejecting a fresh wave of evidence tying Pyongyang to the lion’s share of crypto hacks in 2026. The denial comes just days after blockchain analytics firm TRM Labs reported that DPRK-linked actors were responsible for roughly 76% of all crypto hack losses recorded through April — a figure driven by two major DeFi exploits that together cost about $577 million.
A $2 billion annual problem
The TRM report pegs DPRK-linked losses at roughly $2.02 billion in 2025 alone, including the $1.5 billion Bybit heist that the FBI attributed to the North Korean cyber group TraderTraitor. This year’s tally through April is already substantial, fueled by the hacks of Drift and KelpDAO. Both incidents were publicly attributed by multiple security firms to DPRK-aligned threat actors. The numbers paint a clear picture: despite international sanctions and increased industry vigilance, North Korea’s cyber operations remain the single biggest source of crypto theft globally.
The IT worker pipeline
Beyond direct exploits, the Ketman Project this year identified roughly 100 suspected DPRK IT workers embedded across 53 different crypto projects. These workers used forged identities and AI-generated profile photos to infiltrate legitimate teams. In March, the U.S. Treasury’s Office of Foreign Assets Control sanctioned six individuals and two entities linked to those schemes. Industry insiders say the practice is hard to root out because applicants often look legitimate on paper, and small teams lack the resources for deep background checks.
What Pyongyang says
North Korea’s Foreign Ministry fired back by accusing the United States of conducting “indiscriminate cyber operations” and claimed that Washington is the world’s greatest cyber victim. The statement, carried by state media, vowed that Pyongyang “will actively take all necessary measures to defend state interests and citizens’ rights in cyberspace.” There was no mention of the specific exploits or the TRM data. For now, the denial is boilerplate — but with a new sanctions round and mounting forensic evidence, the standoff shows no signs of easing.
