North Korea Now Holds 76% of All Crypto Stolen in 2026

Tracking of stolen cryptocurrency flows in 2026 shows North Korean actors have consolidated control over roughly three-quarters of all funds taken in crypto-related thefts this year. The concentration reflects the regime’s continued reliance on offensive cyber operations as a sanctions-resistant revenue stream, with state-aligned groups like Lazarus and its subclusters dominating the high-value end of the threat landscape.

The figure underscores how exchange compromises, bridge exploits, and DeFi protocol attacks have become a strategic funding channel rather than opportunistic criminal activity. Each successful operation feeds laundering pipelines that move proceeds through mixers, cross-chain bridges, and OTC brokers before conversion to fiat, making recovery rare and attribution forensics increasingly central to incident response.

For defenders in the crypto sector, the takeaway is that the dominant adversary is a well-resourced nation-state with established TTPs spanning social engineering of developers, supply-chain implants in build pipelines, and exploitation of smart-contract logic. Standard fintech controls aren’t calibrated for this threat profile.