North Korea Stole $2 Billion Last Year. Financial Firms Are Next. Here's How the New AI-Powered Heists Work.

WASHINGTON — May 18, 2026 — On February 21, 2025, a cryptocurrency exchange called Bybit processed a routine transaction. Or, rather, it appeared routine. Behind the interface, a North Korean hacking cell known as TraderTraitor had compromised a third-party signing provider, manipulating the multisig wallet infrastructure to approve a series of transfers that should never have occurred. By the time anyone understood what had happened, $1.5 billion in digital assets had been drained — the largest theft in the history of cryptocurrency, larger than the Ronin Bridge exploit, larger than the Poly Network hack, larger than any bank robbery ever attempted. It took the attackers minutes. It took the FBI weeks to confirm what investigators already knew: the fingerprints were Pyongyang's.

The Bybit heist was not an anomaly. It was an escalation. And fourteen months later, the escalation has become a pattern.

Two new reports — one from blockchain security firm CertiK's Skynet unit, the other from cybersecurity giant CrowdStrike — paint a picture of a threat landscape that has fundamentally changed in ways most financial institutions have not yet absorbed. North Korean cyber operations have been "industrialized" into a state revenue mechanism that now generates more hard currency than any export program the sanctioned country runs. The numbers are staggering: $6.75 billion stolen across 263 documented incidents since 2016. $2.06 billion in 2025 alone — roughly 60 percent of all cryptocurrency theft worldwide that year. A 51 percent year‑over‑year increase according to CrowdStrike. And in the first four months of 2026, another $620 million.

These are not random figures from a scattered criminal underground. They are the output of an organized state enterprise that employs approximately 7,000 people, operates on 15‑hour shifts six days a week, and now deploys artificial intelligence to generate synthetic identities, deepfake video conference appearances, and automated reconnaissance at a cost approaching zero.

The Anatomy of an Industrial Operation

The CertiK report, released May 12, describes an operational model that has evolved from opportunistic code exploitation into something resembling a national intelligence agency's cyber division — because that is effectively what it is. The Lazarus Group, the umbrella hacking organization, operates under the Reconnaissance General Bureau, North Korea's foreign intelligence service. Its roughly 7,000 personnel are organized into specialized cells: SquidSquad for initial access, TraderTraitor for exchange-level attacks, Labyrinth Chollima for long‑term financial infiltration, and multiple smaller units focused on specific geographies or sectors.

The operational tempo is relentless. CrowdStrike's 2026 Financial Services Threat Landscape Report, released May 14, found that North Korean adversaries tripled their attack pace in 2025 compared with the previous year. They are now, by CrowdStrike's assessment, "the most prevalent state-sponsored intrusion threat" facing financial firms globally. From April 2025 through March 2026, financial services became the fourth-most-targeted industry worldwide, accounting for 12 percent of all intrusion activity tracked by the company. Interactive intrusions — hands‑on‑keyboard attacks where adversaries actively maneuver within compromised networks — rose 43 percent globally over the past two years, with a 48 percent spike in North America alone.

What makes the North Korean threat distinct from other state-sponsored cyber activity is its singular focus on revenue generation. Chinese espionage groups steal data and intellectual property. Russian ransomware gangs extort hospitals and infrastructure. North Korean hackers steal money — specifically, cryptocurrency — because cryptocurrency is the only form of value that can be stolen remotely, moved across borders without intermediaries, and converted into hard currency through networks of accomplices and unwitting brokers, all while the country remains severed from the global banking system by sanctions.

The CertiK report details how this laundering infrastructure now operates at industrial scale. Within one month of the Bybit hack, 86.29 percent of stolen ETH had been converted to Bitcoin using a cascading sequence of mixers, cross‑chain bridges, decentralized exchanges, and over‑the‑counter brokers. The destination is always the same: the regime's military and nuclear programs. The United Nations has repeatedly documented the pipeline connecting stolen crypto to ballistic missile development. The FBI has issued multiple public service announcements linking specific North Korean cyber cells to thefts that fund weapons proliferation.

The Human Attack Vector

If there is a single finding in the new reports that financial institutions should be losing sleep over, it is this: the primary attack vector is no longer code. It is people. More specifically, it is trust.

The CertiK analysis of the three largest North Korean-linked hacks — Ronin ($625 million), Bybit ($1.5 billion), and Drift Protocol ($285 million) — found that none of them exploited a vulnerability in smart contract code. All three began with human manipulation: a fake job offer with a malicious PDF masquerading as a salary adjustment, a compromised third‑party supplier with valid credentials, an infiltrated developer who spent six months building genuine relationships within a DeFi team.

The Drift Protocol attack, which occurred in early April 2026, represents the new model in its most sophisticated form. CertiK found that DPRK operatives spent half a year attending offline industry conferences, establishing trust through real funds and face‑to‑face interactions, before executing their attack. Physical infiltration — the kind of tradecraft once associated with Cold War espionage — has been grafted onto digital theft, and the combination has proven extraordinarily difficult to defend against.

CrowdStrike's report identifies specific subgroups that have accelerated this shift. FAMOUS CHOLLIMA doubled its operational tempo by using AI‑generated identities to infiltrate cryptocurrency exchanges and retail banks. STARDUST CHOLLIMA deployed AI‑created recruiter profiles and fabricated video meetings — complete with deepfake avatars — to target fintech companies globally. UNC1069, a newer North Korea‑linked threat actor identified by multiple security vendors, has used AI‑generated deepfake video, fake conference invitations, and an arsenal of at least seven distinct malware families to bridge social engineering and technical compromise.

Adam Meyers, CrowdStrike's head of counter‑adversary operations, noted that AI has reduced the cost of creating convincing synthetic identities to "near zero." That structural shift has profound implications. In the past, a sophisticated spear‑phishing campaign required a team of intelligence analysts, linguists, and graphic designers to build credible personas. Now, a single operator with access to generative AI tools can produce the same output in hours. The barrier to entry for advanced social engineering has collapsed, and the regime with the most to gain from exploiting that collapse has moved fastest to adopt the tools.

9.2.png

The Drift Protocol attackers, according to blockchain intelligence, are now laundering their stolen funds using a combination of cross‑chain bridges, decentralized exchanges, and over‑the‑counter brokers. Within a single week of the heist, the stolen assets had already been bridged to Bitcoin and mixed through protocols designed to obscure transaction trails. The laundering infrastructure is as sophisticated as the attack infrastructure, and it operates continuously, handling the flow from multiple simultaneous operations.

Ripple, the cryptocurrency payments firm, responded in early May by sharing high‑confidence threat intelligence on DPRK actors with the Crypto Information Sharing and Analysis Center, or Crypto ISAC. The data includes enriched profiles of suspected IT workers and operatives — complete with LinkedIn details, emails, phone numbers, locations, and cross‑company connections — along with fraud‑linked wallets, malicious domains, and active indicators of compromise. Ripple framed the move as a shift "from silos to collective defense," a recognition that a threat actor rejected by one company's background check will simply apply to three more firms the same week.

The IT Worker Pipeline

The most insidious component of the North Korean cyber operation is not a hack at all. It is a hiring pipeline. Thousands of North Korean IT workers, operating under fabricated identities and often with the assistance of complicit third‑party facilitators, have infiltrated Western companies — particularly in the cryptocurrency and fintech sectors — as remote developers, contractors, and support staff.

These workers, according to an EisnerAmper security advisory released May 8, create synthetic personas across professional networking sites, gig economy platforms, developer communities, and code‑challenge sites. They build credible histories. They rent verified accounts. They pass initial screening interviews, sometimes with the help of deepfake video. Once embedded, they exfiltrate source code, install backdoors, steal credentials, and funnel both their salaries and internal system access back to the regime.

A blockchain analysis conducted by security researchers traced IT worker salary payments through a seven‑layer laundering pipeline: funds routed from 131 source addresses through DeFi protocols, no‑KYC exchanges, and cross‑chain bridges before consolidating in a single DPRK‑controlled wallet. Every dollar a North Korean IT worker earns from a Western employer is, functionally, a dollar contributed to the regime's military budget.

The FBI has charged four North Korean nationals in schemes involving IT worker infiltration and theft. The State Department has offered a $7 million reward for information leading to the arrest of Sim Hyon‑sop, an alleged financial fixer for Kim Jong‑un's regime. But the scale of the operation — thousands of workers, hundreds of companies, years of infiltration — has outpaced the law enforcement response.

What Comes Next

The convergence of AI‑generated identities, industrialized social engineering, and physical infiltration represents a threat that traditional cybersecurity defenses were never designed to counter. Firewalls block ports. Code audits find vulnerabilities. Multi‑factor authentication thwarts credential stuffing. None of these prevent an attacker who has spent six months building genuine relationships with your team, who appears as a legitimate employee in your Slack channels, and whose deepfake‑enhanced video calls pass casual scrutiny.

CertiK's recommendations for the industry are specific: implement "zero trust" hiring models that assume every remote contractor could be a state actor until proven otherwise, strengthen third‑party supply chain verification beyond standard vendor questionnaires, and establish fund circuit‑breaker mechanisms that can halt transactions when anomalies are detected. CrowdStrike advocates for AI‑powered threat hunting, behavioral analytics, and continuous monitoring of session activity — tools that can detect the subtle anomalies that indicate a compromised insider, even when that insider appears to be an ordinary employee.

But the deeper challenge is structural. North Korea's cyber operations exist because they work, and they work because the global financial system has not adapted to a world in which a sovereign state operates an industrialized theft apparatus targeting private companies. The sanctions regime that isolates North Korea from traditional banking is also what drives the regime toward cryptocurrency theft as an alternative. The decentralized architecture that makes blockchain attractive to legitimate users also makes it attractive to state‑sponsored thieves. The remote‑work revolution that enabled global talent pools also enabled a state actor to embed its operatives inside Western companies with unprecedented ease.

The $6.75 billion figure in the CertiK report almost certainly understates the true scope. Smaller attacks targeting individuals and early‑stage projects go unreported. IT worker salaries funneled through laundering pipelines are not counted as theft. And the pace is not slowing. In the first four months of 2026, DPRK‑linked actors have already stolen $620 million, led by the $291 million KelpDAO exploit in April and the $285 million Drift Protocol heist weeks earlier. The summer months, historically the most active period for cryptocurrency theft, have not yet begun.

North Korea, for its part, dismissed the reports as "absurd slander" in a Korean Central News Agency article on May 3, accusing the United States of manufacturing a "nonexistent cyber threat" as part of a hostile campaign against Pyongyang. The denial arrived roughly two weeks after a DPRK‑linked hacking cell allegedly stole $290 million from KelpDAO, the year's largest single crypto heist. The evidence, independent researchers say, speaks for itself.

The United Nations has estimated that North Korea's nuclear and ballistic missile programs require roughly $1 billion to $2 billion annually in hard currency — money the regime cannot access through legitimate trade. Cryptocurrency theft now funds a significant portion of that budget. The Bybit heist alone could have paid for an entire year of missile testing. The $2 billion stolen in 2025 could have funded the program twice over.

For American financial institutions, the message in the new reports is unambiguous. The adversary has industrialized. It has adopted AI. It has moved beyond code exploitation into the exploitation of human trust. It is not deterred by sanctions, not constrained by geography, and not slowing down. The question is no longer whether North Korean operatives will attempt to infiltrate a given financial firm. The question is whether the firm will detect them when they do.