


North Korean hackers stole $643 million in cryptocurrency in the first half of 2026, a report by TRM Labs said, accounting for roughly two-thirds of all crypto funds stolen worldwide. File Photo by Stephen Shaver/UPI | License Photo
North Korean-linked hackers stole roughly $643 million in cryptocurrency during the first half of 2026, accounting for about two-thirds of all crypto funds stolen worldwide, according to a new report by San Francisco-based blockchain analysis firm TRM Labs.
Nearly 90% of North Korea’s stolen proceeds — about $577 million — came from just two attacks on decentralized finance platforms in April, the report said.
On April 1, North Korean-linked hackers drained $285 million from Drift, a Solana-based decentralized futures exchange. Later in the month, hackers believed to be connected to North Korea’s Lazarus Group stole $292 million from KelpDAO, a DeFi platform that allows users to earn yield on cryptocurrency deposits.
The report, released this week, tracked a record 207 cryptocurrency hacks during the first six months of the year. Total losses, however, fell to $972 million from $2.3 billion during the same period in 2025, largely because there were fewer massive thefts.
Although North Korea’s haul was down from the roughly $1.7 billion stolen during the first half of 2025, TRM Labs said the decline did not indicate a reduced threat.
“North Korea’s activity has not slowed,” the report said. “The difference is that the rest of the ecosystem experienced fewer large-scale thefts than in 2025. A single successful operation against a major target can still outweigh months of losses from every other attacker combined.”
Lazarus, a North Korean state-backed hacking group, has been linked to a string of increasingly sophisticated cryptocurrency thefts. In February 2025, the group stole about $1.5 billion from cryptocurrency exchange Bybit in what is widely considered the largest such heist in history.
Authorities say such operations are a key source of revenue for North Korea, which faces sweeping international sanctions over its nuclear weapons and ballistic missile programs.
A now-disbanded U.N. panel of experts estimated in a 2024 report that illicit cyber activity accounted for about 40% of funding for Pyongyang’s weapons programs.
The U.S. Treasury Department said in November that North Korea had stolen more than $3 billion over the previous three years through cyberattacks targeting financial institutions and cryptocurrency platforms.
Pyongyang has also turned to other forms of cybercrime to raise funds, including using remote IT workers to gain employment at Western companies under fabricated identities.
“North Korea continues to generate cryptocurrency through other illicit activity, including phishing campaigns, social engineering, fraud, scams and covert IT worker operations,” the report said. “As a result, the USD 643 million reflected here represents only one portion of its overall crypto revenue.”
The findings come as the United States and its allies are stepping up efforts to combat North Korea’s cyber threats.
In June, Group of Seven leaders flagged North Korea’s illicit cyber activity as a major global security concern, adding the issue to their joint statement on geopolitical issues for the first time.
“We reiterate the need to jointly address North Korea’s cryptocurrency thefts and cybercrimes,” the G7 statement said.
Last week, the United States, Japan and South Korea held the fifth meeting of a trilateral working group on North Korea’s cyber threats in Washington.
“Participants reiterated the importance of continued law enforcement cooperation and coordination to strengthen enforcement of international sanctions against the DPRK to prevent malicious cyber activity and illicit revenue generation,” a U.S. State Department spokesperson said.
The Democratic People’s Republic of Korea is the official name of North Korea.