February 21, 2026, marks a year since North Korean cybercriminals executed the largest cryptocurrency theft in history, stealing approximately $1.46 billion from Dubai-based exchange Bybit. The incident set a precedent for future attacks, with these groups continuing to target the global cryptocurrency industry.
Over the past year, DPRK-affiliated operatives have intensified their efforts, accumulating a record $2 billion in stolen cryptoassets in 2025 alone. This brings their total theft to over $6 billion. These funds are suspected to support North Korea’s nuclear weapons and missile development programs, with January 2026 witnessing a doubling of recorded exploits compared to the previous year.
Ongoing Threats and Tactics
Research by Elliptic highlights that social engineering remains the primary method of attack in all major incidents linked to DPRK, from the Bybit breach to more recent exploits. Despite the technical prowess required for these operations, human error is often the initial point of entry. Attackers now employ AI to create highly convincing fake identities and communications, complicating detection efforts.
The laundering of funds from the Bybit breach involved refund addresses, the creation of worthless tokens, and diverse mixing services, with much of the money passing through suspected Chinese over-the-counter trading services. By August 2025, over $1 billion had already been processed, marking a pivotal moment that only escalated these cyber campaigns.
Expanding Attack Surface
The threat landscape has expanded beyond crypto exchanges, now targeting developers and contributors within the crypto infrastructure. These individuals and organizations are at increasing risk as North Korean operatives refine their strategies to exploit vulnerabilities.
Two persistent campaigns, DangerousPassword and Contagious Interview, exemplify the regime’s tactics. DangerousPassword begins with a compromised social media account contacting the target, often referencing a shared past event, and suggesting a video call. Victims are then tricked into installing malware disguised as a software development kit, which captures sensitive information.
Mitigation and Future Outlook
Contagious Interview lures victims with fake job opportunities, requiring them to execute a technical skills test via a code repository embedded with hidden malware. Combined, these campaigns generated $37.5 million between January and mid-February 2026. Running infected code on company devices poses significant risks to entire organizations.
To mitigate such threats, organizations are advised to verify all software installation requests, carefully evaluate remote contributor identities, and treat unsolicited job offers with skepticism. Continued vigilance is essential as these cyber threats evolve and intensify.
