Stay connected with KayaToday—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.
Seven of the world’s most powerful economies have renewed their warning about DPRK-linked crypto theft. The billion-dollar hacks keep happening anyway.
At this week’s G7 summit in Évian-les-Bains, France, the leaders of seven of the world’s largest economies agreed on something that the crypto security community has known for years: North Korea is systematically stealing digital assets at a scale that represents a genuine threat to global financial security — and something needs to be done about it.
The statement adopted at the summit expressed “deep concern” over North Korea’s nuclear and ballistic missile programs, explicitly linking DPRK-affiliated crypto theft to the funding of those programs. It called for joint action among member nations to address the problem.
What it didn’t do was specify what that action should look like.
No mention of exchange screening requirements. No coordinated sanctions framework. No concrete measures targeting mixing services — the tools North Korean actors routinely use to launder stolen funds after an exploit. The call for action was real. The action plan was not.
The Numbers Behind the Warning
The G7’s renewed attention to this issue didn’t emerge in a vacuum. The scale of what North Korean-affiliated actors have been taking from the crypto industry has become difficult to ignore even for leaders whose primary focus is traditional geopolitics.
According to Chainalysis, North Korean hackers stole at least $2 billion in cryptocurrency in 2025 alone — pushing the all-time total attributed to DPRK-affiliated actors to at least $6.75 billion. That cumulative figure represents one of the most sustained and successful financial crime operations in modern history, conducted almost entirely through digital asset theft rather than conventional financial fraud.
What makes the 2025 figures particularly striking is that hackers achieved those returns while conducting fewer confirmed attacks than in previous years. The operations have become more targeted and more efficient. Rather than volume, DPRK-affiliated groups are increasingly prioritizing high-value targets — exchanges, protocols, and infrastructure providers where a single successful breach can yield hundreds of millions of dollars.
CrowdStrike’s May 2026 report identified North Korean actors as the single largest threat group targeting crypto users by total value stolen, with proceeds described as being “almost certainly laundered to fund the regime’s military programs.” The UN and independent security researchers have reached the same conclusion through separate analytical frameworks.
The Tactics Have Evolved Considerably
The image of a North Korean hacker exploiting smart contract vulnerabilities from a server farm still captures part of the picture, but it misses how sophisticated these operations have become.
Chainalysis noted that a significant portion of recent theft has come through social engineering rather than direct technical exploits. DPRK-affiliated actors have embedded themselves inside crypto companies by posing as legitimate IT workers, passing hiring processes at blockchain firms and gaining access to internal systems over weeks or months before executing a theft. Others have impersonated recruiters and investors to establish trust relationships with targets before deploying malware or extracting sensitive credentials.
These approaches are harder to defend against than smart contract exploits because they target humans rather than code. An organization can audit its smart contracts exhaustively and still be vulnerable to an insider who spent three months building trust before stealing private keys.
Two recent exploits illustrate the scale of what this looks like in practice. The Drift Protocol exploit in April resulted in losses of approximately $285 million, with investigators linking preliminary findings to DPRK-affiliated actors. The $36 million Humanity Protocol breach in June — in which multiple multisig keys stored on a compromised employee laptop gave attackers control over two blockchain bridges simultaneously — has also been linked to North Korean actors by security firm Quantstamp. That second case is particularly instructive: the attack succeeded not because of a code vulnerability but because of an operational security failure that a sophisticated, patient attacker was positioned to exploit.
A Year of G7 Statements, A Year of Continued Theft
The Évian-les-Bains statement isn’t the G7’s first attempt to address this problem. At last year’s summit in Canada, the group’s chair called on members to jointly address “DPRK cryptocurrency thefts fueling” the country’s weapons programs. The language was pointed. The follow-through, measured against what happened to the industry in the twelve months since, was insufficient.
North Korean actors stole $2 billion in 2025 after the G7 raised the issue in 2024. The trajectory has not bent downward.
This pattern — international statements of concern followed by continued theft at scale — reflects a structural challenge that goes beyond any single government’s willingness to act. North Korean crypto laundering operations run across multiple jurisdictions, use decentralized infrastructure specifically designed to resist seizure, and operate at a technical sophistication that outpaces most regulatory frameworks currently in place.
Effective countermeasures would require the kind of coordinated action that the G7’s latest statement gestures toward but doesn’t specify: mandatory screening at exchanges operating in member countries, coordinated sanctions against wallets and mixing services identified as laundering channels, and intelligence sharing frameworks that allow security agencies to track DPRK-linked transactions across borders in near-real time. Each of these measures is technically achievable. None of them is politically simple.
Pyongyang’s Response
North Korea’s position on all of this is consistent and predictable. In a May 3 statement published by state news agency KCNA, a Foreign Ministry spokesperson rejected the characterization of the country as a cyber threat, describing the allegations as politically motivated “slander” and accusing the United States of spreading false information.
The denial follows a well-established pattern. North Korea has rejected attribution for major cyberattacks for years regardless of the evidence assembled by researchers, governments, and international organizations. The UN Panel of Experts, Chainalysis, CrowdStrike, and multiple national intelligence agencies have all reached similar conclusions about the DPRK’s cyber operations through independent analysis. Pyongyang’s response to each attribution has been consistent denial.
The gap between that denial and the documentary evidence is wide enough that most serious analysts treat it as noise rather than a credible counter-argument. The more meaningful question isn’t whether North Korea is conducting these operations — the evidence base for that conclusion is substantial — but what the international community intends to do about it.
What Meaningful Action Would Actually Look Like
The crypto industry has developed its own responses to the DPRK threat in the absence of coordinated government action, with varying degrees of effectiveness.
Blockchain analytics firms including Chainalysis and Elliptic maintain real-time tracking of wallets linked to known DPRK-affiliated actors, allowing exchanges that use their screening tools to block or flag suspicious transactions. Some exchanges have implemented enhanced screening for high-risk wallet addresses. Security firms have published detailed post-mortems on DPRK attack methodologies, helping the industry understand and defend against the social engineering tactics that have become central to these operations.
These are meaningful contributions, but they are also fundamentally reactive. They identify and respond to attacks after the fact rather than preventing them. The scale of theft — $2 billion in a single year — suggests that reactive measures alone are not sufficient to materially change the outcome.
What the G7’s call for joint action could unlock, if translated into concrete policy, is a coordinated proactive framework: common standards for wallet screening at exchanges operating in member jurisdictions, coordinated asset freezes on identified laundering channels, and formal intelligence-sharing agreements that give security agencies the cross-border visibility needed to track complex laundering operations in real time.
Whether the Évian-les-Bains statement becomes the foundation for that kind of framework, or joins its predecessor from Canada as a well-intentioned declaration that preceded another year of billion-dollar theft, will be determined by what G7 members do in the months following the summit rather than by the language of the statement itself.
The concern is on record. The billion-dollar question is what happens next.
Read Also: A Single Compromised Laptop Just Cost Humanity Protocol $36 Million
