The largest known cryptocurrency theft in history occurred on February 21, 2026, when operators with ties to North Korea (DPRK) stole about $1.46 billion worth of cryptoassets from the Dubai-based exchange Bybit This article explores billion stolen 2025. . After that hack, the group hasn't slowed down; on the contrary, it has gotten even more active in its campaign against the global cryptocurrency industry. Learn more about exploitation Take advantage of exploitation The total amount of cryptoassets stolen by DPRK agents has surpassed $6 billion, with a record $2 billion stolen in 2025.

It is thought that North Korea's nuclear weapons and missile programs are directly funded by these funds. In January 2026 alone, twice as many exploits were reported as in the same month the previous year.

From the Bybit hack to the most recent exploits, Elliptic researchers found that social engineering continues to be the main attack vector in all significant DPRK-related incidents. The initial point of compromise is nearly always human, even though these thefts demand a high level of technical expertise. AI is now used by operators to create convincing phony identities and communications, making detection much more challenging.

Refund addresses, the creation of worthless tokens, and diversified mixing services were used to launder the Bybit funds, most of which were sent through alleged Chinese over-the-counter trading services. Over $1 billion had already been processed by August 2025. The Bybit hack was a turning point in a campaign that is still getting more intense, not its end. Exchanges are no longer the only target of the threat.

Anyone with access to crypto infrastructure, including developers and project participants, is at risk. The Playbook for Social Engineering DangerousPassword and Contagious Interview are two ongoing campaigns that continue to bring in a consistent amount of money for the regime. The initial step of DangerousPassword involves a compromised social media account reaching out to a target, frequently mentioning a previously shared event, and proposing a video call.

The victim's view of the zoom error screen (Source: Elliptic) The victim sees a phony audio error when they connect using Zoom or Microsoft Teams. Installing a software development kit via the command line, which is the purported solution, actually spreads malware that collects passwords, seed phrases, and private keys. Spreadable Message from the interview (Source: Elliptic) Contagious Interview lures targets with false job openings.

Victims are asked to complete a technical skills test using a code repository as part of a phony onboarding procedure. There is hidden malware in that repository. Between January 1 and mid-February 2026, the combined revenue from both campaigns was $37.5 million.

The entire company is at risk if someone uses a company device to run malicious code. Companies should carefully examine the identities of remote contributors, confirm all software installation requests, and exercise caution when accepting unsolicited job offers. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.