- North Korea denies involvement in crypto hacks despite billions linked to its groups
- Over $6 billion reportedly stolen since 2017, with major 2026 attacks dominating losses
- Lazarus Group tied to large-scale, coordinated cybercrime operations
North Korea has officially denied its role in global crypto hacks, calling the accusations “absurd slander,” but the numbers floating around tell a very different story. The country claims the U.S. is exaggerating a “nonexistent cyber threat,” which, to be fair, is a bold stance considering how much data points in the opposite direction.
At this point, it’s less about claims and more about patterns that have been building for years.
A Few Attacks, Massive Impact
What stands out in 2026 isn’t the number of attacks, but their scale. Two major incidents alone, including the Drift Protocol and KelpDAO exploits, accounted for the majority of losses, totaling over half a billion dollars in a very short window.
These weren’t random hits either, they involved weeks of preparation and precise execution, which suggests a level of organization that goes well beyond opportunistic hacking.
The Infrastructure Behind the Movement
One of the more overlooked pieces of this puzzle is how stolen funds actually move after the hack. Platforms like THORChain have been repeatedly used to convert large amounts of stolen crypto, particularly ETH into Bitcoin, without intervention.
That lack of centralized control, often seen as a strength in DeFi, becomes a vulnerability in cases like this, where there’s no mechanism to stop or reverse transactions.
A Shift Toward Fewer, Bigger Operations
The broader trend shows a shift in strategy. Instead of frequent smaller attacks, activity appears to be consolidating into fewer but far more impactful operations, with billions stolen in recent years.
There are also increasing reports of North Korean-linked actors infiltrating companies through remote IT roles, which adds another layer to how these operations are conducted.
Denial vs Data
North Korea’s denial isn’t surprising, but it does create a sharp contrast with the evidence presented by blockchain analysis firms and global investigations. The data consistently points toward coordinated activity tied to known groups like Lazarus, which have been linked to numerous high-profile incidents.
At some point, the gap between official statements and observable patterns becomes hard to ignore. Whether that leads to stronger countermeasures or just more of the same remains to be seen, but for now, the issue isn’t going away.
