The hacks that keep giving

The North Korean operatives who exploited $62.5 million worth of crypto from the Munchables NFT game in 2024 quickly realized they hadn’t thought things all the way through: they couldn’t figure out how to launder the funds off of the Blast blockchain. The bridges were too slow and the transaction sizes too small to get the funds to safety.

Just a day after stealing it, they gave the money back.

We don’t know for sure why they didn't just keep it (even if they couldn't use it) because DPRK hackers never explain themselves. 

But they may have done it for the greater good of crypto — like a fisherman releasing a catch back into a river to ensure the river remains bountiful.

If so, it was a good decision. 

Last month, North Korean hackers reeled in $577 million from the ever-giving river of crypto.

That brings North Korea’s lifetime haul of stolen crypto to over $6 billion.

A report by the Multilateral Sanctions Monitoring Team (MSMT) — an international effort tracking North Korean sanctions evasions — explains that the country shifted its hacking focus to crypto in 2017, when tightening UN sanctions forced it to look for new ways to “earn” foreign currency.

This, too, was a good decision.

The MSMT estimates that North Korea earns more in foreign currency now than it did before sanctions were tightened — with most of it coming from two sources: cryptocurrency heists and weapons sales.

Sometimes, the weapons are exchanged for cryptocurrency.

“DPRK officials have attempted to expand the [their] use of cryptocurrency beyond cybercrime to include the use of cryptocurrency as a form of exchange and payment for goods and services,” the MSMT reports.

Over the last two years, for example, North Korea has offered to sell military communications equipment, portable anti-aircraft missile systems, and several tonnes of gold in return for USDT. It’s also used USDT to buy (or attempt to buy) armored vehicles and Russian fuel.

Other cryptos have been used for smaller — but equally important — transactions. North Korea has used ETH and USDC to buy the documents needed to establish fake personas for IT workers the country sends to infiltrate Western tech companies: “driver’s licenses, social security cards, passports, bank account statements, fire incident reports, utility bills, and university diplomas,” the MSMT reports.

In other words, North Korea is using crypto exactly as intended: to move money and transact without permission. 

It’s also pioneering crypto’s most advanced use case: North Korea’s First Credit Bank, the MSMT reports, is “actively holding reserves in dozens of cryptocurrency wallets.”

Who’d have guessed the Hermit Kingdom would be the first to elevate crypto to the status of bank-reserve asset?

Every growing economy needs growing bank reserves, of course. So, to keep its klepto-economy going, North Korea’s hackers have had to continually level up.

One measure of their success is their tightening grip on the profitable field of crypto exploitation. After facing some stiff competition in 2020, North Korea’s share of the market for stolen crypto rose to 22% in 2022, 39% in 2024, and 64% in 2025.

In 2026, they’ve outdone themselves: 76% of the crypto stolen this year has been stolen by North Korea.

Their success is attributable at least in part to the fast adoption of new tech: “North Korea’s hackers are incorporating AI into their reconnaissance and social engineering workflows,” TRM writes.

This year’s highly complex exploit of Drift — involving “three weeks of pre-attack staging and months of  social engineering to compromise protocol signers” — is a long way from the “simple private key compromises” they used to rely on.

The MSMT similarly reports that, since as early as 2023, DPRK hackers have been “creating fake identities using generative artificial intelligence tools such as ChatGPT to apply for remote IT jobs.”

(Reminder: ChatGPT was only released in November, 2022.)

More recently, they’ve been using AI to craft “more authentic spear phishing messages” and develop code for malware — two things AI is especially good at.

OpenAI itself said in February 2025 that DPRK actors were using their chatbot to “debug code, gather information on cyber intrusion tools, and research cryptocurrency-related topics.”

(Most amusingly, they reportedly used ChatGPT to brainstorm elaborate cover stories to explain to employers why they were constantly avoiding video calls, logging in from unauthorized countries, and working irregular hours.)

Doing all this from the safety of Pyongyang, beyond the reach of international law enforcement, is quite the advantage — and an advantage that should continue to compound with AI.

Assuming, that is, they don’t deplete the crypto river by overfishing it.

— Byron Gilliam