Retail crypto traders who have had their accounts hacked, or fell victim to last year's Coinbase (NASDAQ:COIN) scam which saw one poor soul lose over $2 million, know how stressful it is to wake up to an empty wallet. Worse yet, there is almost no recourse for recovery.  Who's stealing all those Bitcoins? Where are all these hackers coming from?  

North Korea. That's where. Around 60% of total value stolen in crypto last year could be traced to cybercriminals in North Korea, according to Web3 security services firm CertiK. So far this year, North Korea-linked activity accounted for 55% of global crypto losses. It looks like they are maintaining the trend. CeriK estimated that 185 incidents resulted in at least $1.1 billion in total losses to cryptocurrency holders since January. Of that amount, around $621 million was attributed to sources in North Korea. Most of that came from the $291 million KelpDAO exploit.

CertiK, founded in 2017 by professors from Yale and Columbia universities, released their 23-page report on Wednesday. 

Social relationship building is the dominant attack vector. Coinbase users who fell victim to scammers last spring likely moved money from their account to their wallets after being advised to do so by perfect-English speaking conmen claiming to be Coinbase staffers.  After the money was in the wallet, the wallet was emptied. 

CertiK specifically gave examples of fake LinkedIn job offers. "Most of the major North Korean heists begin with human manipulation," CertiK said in the report, adding, “fake venture capital impersonators, fraudulent job interviews, and malicious code repositories account for the majority of initial access across all clusters."

The February 2025 Bybit hack of well over $1 billion demonstrated that institutional-grade multisignature cold wallets can be compromised when third-party infrastructure is targeted. The North Korean attackers never broke the smart contract; they broke the user interface that users trusted when logging in.

Within one month of that Bybit hack, 86.3% of stolen Ethereum (CRYPTO: ETH) had been converted to Bitcoin (CRYPTO: BTC). The North Korea cybercriminal pipeline uses mixing services, cross-chain bridges, decentralized exchanges, and small over-the-counter brokers to trade in and out of the tokens they've stolen from mostly retail investors.

The report says that United Nations Security Council sanctions against North Korea have made cryptocurrency theft practically a state-sanctioned activity. 

From the report: "International sanctions have severely constrained North Korea’s access to foreign currency and international financial systems since the regime’s first nuclear test in 2006. The UN Security Council has imposed progressively tighter restrictions on North Korean exports, banking relationships, and trade partnerships. By 2017, North Korea’s export revenue had collapsed. The regime needed an alternative revenue stream that could bypass the international financial system entirely. Cryptocurrency provided exactly that. Digital assets can be stolen remotely, moved across borders without intermediaries, and converted to fiat through networks of complicit or unwitting brokers."

Crypto wallet hacks are no longer mainly a smart-contract story; they are increasingly a wallet-duplication, multisig fraud and malware story. Chainalysis' 2025 year-end theft update put full-year theft above $3.4 billion. TRM Labs' 2026 Crypto Crime Report found that infrastructure attacks via compromised private keys, seed phrases, wallet infrastructure, privileged access, and front-end surfaces, drove about $2.2 billion, or 76%, of 2025 hack losses. Personal-wallet compromises alone reached roughly 158,000 incidents affecting at least 80,000 victims with the dominant origin country being North Korea, TRM Labs also says.

Americans are not the only ones watching their crypto values go to $0.

The ByBit theft made account holders in the United Arab Emirates the largest target domicile by disclosed wallet-hack value in 2025. Other big targets included Iran and Singapore.

The Federal Bureau of Investigation directly blamed North Korea based group TraderTraitor for Bybit.

Outside North Korea, the Nobitex breach was publicly claimed by Predatory Sparrow and the on-chain pattern suggested the funds were effectively burned, with a medium-high Israel-linked hacker group. Russian-speaking retail crypto drainer ecosystems are also active. Cyber crime fighting firm, Recorded Future, tied Russia’s Rublevka Team to more than $10 million in lifetime revenue and about 240,000 successful wallet drains, with the current Solana-focused campaign generating roughly $8.2 million already this year. They've been beating up on Solana wallets since at least 2022. 

Mandiant, a Google subsidiary, documented North Koreans using social-networking and relationship building against retail wallet infrastructure and fintech companies. Mandiant said the North Koreans are "highly active in targeting cryptocurrency wallets and exchanges to fund their weapons programs and circumvent international sanctions." 

In April 2026, Kaspersky Threat Research identified 26 fraudulent cryptocurrency wallet applications on the Apple App Store designed to steal digital assets. These fake apps, often referred to as “FakeWallet” or linked to the SparkKitty campaign, targeted users by mimicking popular, legitimate crypto wallets.  

The writer owns Bitcoin and Ethereum. Artwork by the author using Canva.

Benzinga Disclaimer: This article is from an unpaid external contributor. It does not represent Benzinga’s reporting and has not been edited for content or accuracy.