North Korea-linked hackers stole $2.02 billion in cryptocurrency in 2025, a 51% increase from the year before, according to CrowdStrike's 2026 Financial Services Threat Landscape Report. The cybersecurity firm's findings detail how Pyongyang's cyber groups — including FAMOUS CHOLLIMA and STARDUST CHOLLIMA — increasingly leaned on artificial intelligence to expand their reach, using AI-generated identities and fabricated video meeting environments to breach crypto exchanges, fintech firms, and even retail banks.
How AI opened the door
CrowdStrike's report singles out FAMOUS CHOLLIMA for doubling its activity by deploying AI-generated identities to infiltrate targets. STARDUST CHOLLIMA went further, building AI-created recruiter profiles and faking entire video meeting setups to trick employees at fintech companies across North America, Europe, and Asia. The tactics let the groups bypass traditional vetting and gain inside access to sensitive systems.
Financial sector under siege
The report paints a broad picture of pressure on the industry. CrowdStrike counted 423 financial services victims on dedicated leak sites during the reporting period — a 27% annual increase. Hands-on-keyboard intrusions globally rose 43%, with North America seeing a 48% spike. By the first quarter of 2026, financial services became the fourth-most-targeted sector, accounting for 12% of all recorded activity.
Separate data from TRM Labs puts the DPRK-linked haul even higher for part of the year: roughly $577 million stolen from Drift Protocol and KelpDAO alone through April 2025. The broader CrowdStrike numbers suggest the pace only accelerated after that.
Pyongyang pushes back
North Korea has rejected the allegations. Its state news agency KCNA issued a denial — a familiar response each time new evidence emerges. The denial doesn't change the pattern of activity that security firms and blockchain analysts have tracked for years.
The CrowdStrike report lands at a moment when regulators and exchanges are already grappling with how to screen for deepfake identities and synthetic media in know-your-customer checks. The documented use of those exact techniques by state-backed groups adds urgency to that work.
