
CertiK's Skynet report finds North Korea-linked groups accounted for 60% of all crypto losses in 2025, as tactics evolve from phishing to embedding operatives inside target organizations. The shift forces DeFi teams to treat hiring as a security control equal to code audits.
Alpha Score of 61 reflects moderate overall profile with strong momentum, strong value, weak quality. Based on 3 of 4 signals – score is capped at 90 until remaining data ingests.
Blockchain security firm CertiK attributes $2.06 billion of the crypto industry’s $3.4 billion in 2025 security losses to hackers linked to North Korea. The figure represents 60% of all losses for the year, concentrated in just 79 of 656 documented incidents. State-backed groups pulling off 12% of the attacks walked away with a majority of the money.
The Skynet DPRK Crypto Threats Report, shared with Cointelegraph on Tuesday, lays out an escalating campaign. Between 2016 and early 2026, North Korean hacking groups stole approximately $6.75 billion in digital assets across 263 incidents. CertiK itself cautions the true total is likely higher. And 2026 is not starting any better. Through the early part of the year, DPRK hackers have already claimed $620.9 million of the $1.1 billion in crypto losses reported, led by a $291 million exploit targeting KelpDAO.
The proceeds are funneled directly into North Korea’s nuclear and ballistic missile programs. Crypto theft has become, in CertiK’s assessment, a state-managed revenue source operating at an unprecedented scale. The most important development in the new report, however, is a tactical shift that changes the threat model for every team in crypto market analysis.
The lopsided ratio is the core market signal. Across the entire crypto market, 656 security events were recorded in 2025. The 79 tied to the DPRK produced 60% of the dollar value lost. This concentration means the industry’s aggregate security numbers are not driven by a rising tide of amateur exploits. They are driven by a small group of state-backed actors who steal big, repeatedly.
Key insight: The real vulnerability is not the volume of exploits. It is the sophistication of the most dangerous actors, who now operate with a near-industrial capability to move and convert stolen funds.
The average loss per DPRK-linked incident in 2025 was roughly $26 million, far outpacing the less than $5 million average across non-DPRK cases. For protocol operators and treasury managers, the exposure is binary: either your platform is in their sights, or it is not. The odds of being targeted may be low, while the financial consequences of a successful breach are catastrophic.
The systematic nature of the operation sets it apart from typical cybercrime. These are not independent criminal rings cashing out for personal profit. CertiK’s report traces a pipeline that directly converts stolen digital assets into hard currency supporting Pyongyang’s weapons programs. The scale – $6.75 billion over a decade – rivals the foreign-currency earnings of some mid-sized national export sectors. That funding structure creates a durable incentive to keep refining attack methods, regardless of how many defenses the industry builds against known exploits.
The threat model is shifting in a way that renders many standard security checklists incomplete. CertiK identifies a clear pivot toward social engineering, supply chain attacks, and physical infiltration. DPRK operatives are now embedding themselves inside target organizations, posing as legitimate employees or contractors to gain insider access.
The old playbook relied on tricking users into handing over private keys or exploiting smart-contract bugs. The new playbook exploits the trust and access granted through a standard hiring process. An operative who passes a background check using synthetic identity documents – complete with a plausible work history and faked references – can sit inside a development team for weeks or months before striking.
This is not a hypothetical scenario. The CertiK report describes the tactic in operational terms. DPRK-linked individuals apply for remote engineering roles, often targeting crypto-native projects that prize speed of hiring over institutional-grade vetting. Once inside, they gain access to internal repositories, deployment keys, and multisig processes. The theft may not be executed immediately. The operative can map internal controls, identify the weakest multi-signature threshold, and wait for a moment when the team is distracted by a product launch or governance vote.
What this means: The breach is no longer triggered by a user’s mistake. It is triggered by an organization’s internal hiring decision, which turns every developer onboarding into a potential single point of failure.
For DeFi protocols, the operational risk has shifted from code quality to personnel integrity. A Ethereum virtual machine audit will catch a reentrancy bug. It will not catch a senior contributor who is on Pyongyang’s payroll.
The Bybit hack provides a case study in operational speed once an infiltration pays off. According to the Skynet report, 86% of the ETH stolen in that incident was laundered into BTC in under a month. The conversion happened through a combination of mixers and exchanges, making recovery extraordinarily difficult.
The speed and volume suggest well-established off-ramps that can absorb large positions without excessive slippage or triggering exchange freezes. Moving that much Bitcoin through mixers in a matter of weeks requires pre-arranged liquidity channels, likely involving multiple intermediaries across jurisdictions with weak enforcement.
This laundering velocity undercuts the standard industry assumption that stolen funds can be frozen before they exit the ecosystem. If 86% of a haul can be converted within the first month, the window for exchange blacklisting or inter-protocol coordination is narrow. The operational tempo favors the attacker.
The infiltration angle rewrites the threat model for any protocol holding significant total value locked (TVL). A technical exploit leaves a code trail. An insider threat leaves a far messier set of indicators – login timestamps, repository access logs, and behavioral anomalies that many smaller teams lack the tooling to detect in real time.
A smart-contract audit from a reputable firm addresses deterministic vulnerabilities. It does not address a developer who has legitimate commit rights and uses them to insert a backdoor after the audit is complete. The gap between audit and deployment is now the critical threat surface. Continuous monitoring of code changes, mandatory code review from multiple anonymous reviewers, and separation-of-duty controls around deployment keys become essential. These are enterprise-grade security practices that most DeFi startups do not implement on day one.
Practical rule: Any protocol with over $100 million in TVL should treat its hiring process as a security control equal to its smart-contract audit pipeline. A single vetted hire who can approve a contract upgrade is more dangerous than an unvetted smart contract.
The shift also changes the risk calculus for governance token holders. A proposal that grants emergency upgrade powers to a core team – even for legitimate reasons – now carries the added risk that a compromised team member could abuse that power. Governance forums must weigh concentration of authority against the newly documented threat of physical infiltration.
The path of this risk vector is highly sensitive to a few concrete variables. The following scenarios describe what pushes the exposure higher and what begins to reduce it.
The CertiK report makes clear that the threat is not static. The groups behind these thefts adapt faster than many protocol security teams patch. The shift to infiltration is the next logical step for a state-run operation that treats crypto theft as a line item in its defense budget. For anyone running a protocol, managing a treasury, or governing a DAO, the question is not whether your code is secure. It is whether your hiring pipeline is secure enough to keep a state-sponsored operative from walking through the front door.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.