North Korea’s $2.06B Crypto Theft Moves to Physical Infiltration

North Korea-linked hacking groups stole $2.06 billion in cryptocurrency in 2025, accounting for roughly 60% of the $3.4 billion lost to hacks industry-wide, according to a new report from blockchain security firm CertiK. (For more on the DPRK's crypto theft operations, see DPRK hackers stole $2.02B in crypto in 2025 – 60% of all theft.) The report documents a tactical shift that changes the threat model for exchanges and custodians: the groups are moving beyond phishing and software exploits to physical infiltration of targets.

A Single Adversary Now Captures 60% of All Crypto Theft

The headline number is large. The concentration is the real story. One state-linked adversary captured three-fifths of all crypto theft last year. The naive market read treats crypto hacks as a diffuse, opportunistic problem. The better read is that theft has become an industrialized operation run by a single, well-resourced actor. This is not a series of isolated breaches; it is a sustained campaign with a clear geopolitical funding motive.

CertiK’s data shows that total crypto theft in 2025 reached $3.4 billion. The $2.06 billion attributed to DPRK-linked groups means the remaining $1.34 billion was spread across all other threat actors combined. That level of dominance by one adversary creates a systemic concentration risk for the entire asset class. When a single entity can move markets through stolen liquidity or trigger cascading exchange freezes, the risk is no longer just operational–it is structural.

Physical Infiltration: The New Attack Vector Bypasses Digital Defenses

The CertiK report highlights a shift in attack methodology that changes the defense calculus. Instead of relying solely on phishing emails, software supply chain compromises, or bridge exploits, DPRK operatives are now using physical infiltration. This can mean:

• Compromising employees at target firms to gain on-site access.
• Gaining physical access to hardware wallets or signing devices.
• Tampering with devices before they reach end users.

For exchange security teams, this is a harder problem. Digital defenses–multisig, air-gapped cold storage, transaction monitoring–do not stop an attacker who has physical access to a signing device or who has turned an insider. The attack surface expands from code and network architecture to personnel vetting, office security, and hardware supply chains. A single compromised employee at a custodian can bypass years of cybersecurity investment.

The move to physical tactics also makes attribution and interdiction more difficult. Phishing infrastructure can be sinkholed; malware can be reverse-engineered. A coerced or planted employee leaves a thinner digital trail. This raises the cost of defense and the probability of successful thefts that are not detected until funds have already been laundered through mixers and cross-chain bridges.

What Physical Breaches Mean for Exchange Insurance and Regulation

The immediate implication is that insurance premiums for crypto custodians and exchanges are likely to rise. Underwriters already price in cyber risk; physical infiltration introduces a new peril that is harder to model and mitigate. Policies that exclude losses from insider threats or physical breaches may become more common, leaving platforms to self-insure or pass costs to users.

Regulatory pressure will also intensify. The U.S. Treasury has already sanctioned Tornado Cash and other mixers used by DPRK-linked groups. A shift to physical infiltration may accelerate demands for mandatory insider threat programs, stricter background checks, and physical security audits at licensed custodians. Exchanges that cannot demonstrate robust personnel and facility controls may face licensing delays or enforcement actions.

For traders, the practical takeaway is that counterparty risk now includes a physical dimension. An exchange with strong digital security may still have weak office access controls. That combination carries a hidden vulnerability. Due diligence on where and how a platform secures its people and hardware becomes as important as reviewing its smart contract audits.

The CertiK report sets up a near-term catalyst: how regulators and industry groups respond to the physical infiltration trend. The Financial Action Task Force and national regulators may issue updated guidance on operational security for virtual asset service providers. A major exchange breach traced to a physical compromise would likely trigger emergency rulemaking and a flight of assets to platforms perceived as having military-grade physical security. Exchanges that proactively disclose physical security measures and insider threat controls may gain a competitive edge. Those that remain silent risk being the next case study. The DPRK’s industrialization of crypto theft has moved beyond the digital realm. The next phase of defense will have to follow. For broader crypto market context, see crypto market analysis.