DPRK Linked Operators Sustain Aggressive Crypto Targeting 12 Months After Bybit Breach

February 21, 2026, marks one year since North Korea (DPRK)-linked operators stole approximately $1.46 billion in cryptoassets from Dubai-based exchange Bybit — the largest confirmed crypto theft in history.

Rather than slowing down after that breach, the group has only become more active, continuing its campaign against the global crypto industry.

In 2025, DPRK operatives stole a record $2 billion in cryptoassets, bringing the cumulative known total to more than $6 billion.

These funds are believed to directly finance North Korea’s nuclear weapons and missile programs. In January 2026 alone, twice as many exploits were recorded compared to the same month the year before.

Elliptic researchers identified that social engineering remains the primary attack vector across every major DPRK-linked incident, from the Bybit breach to the most recent exploits.

Although these thefts require significant technical skill, the first point of compromise is almost always human. Operatives now use AI to craft convincing fake identities and communications, making detection far more difficult.

The Bybit funds were laundered through refund addresses, worthless token creation, and diversified mixing services, with much of it routed through suspected Chinese over-the-counter trading services.

By August 2025, more than $1 billion had already been processed. The Bybit breach was not a conclusion — it was a turning point for a campaign that continues to intensify.

The threat no longer targets exchanges alone. Developers, project contributors, and anyone with access to crypto infrastructure are all at risk.

Two ongoing campaigns — DangerousPassword and Contagious Interview — continue to generate steady revenue for the regime. DangerousPassword begins with a compromised social media account contacting a target, often referencing a past shared event, and suggesting a video call.

When the victim connects via Zoom or Microsoft Teams, they see a fake audio error.

The supposed fix — installing a software development kit through the command line — actually deploys malware that harvests private keys, seed phrases, and passwords.

Contagious Interview uses fabricated job opportunities to lure targets. During a fake onboarding process, victims are asked to run a technical skills test via a code repository.

That repository carries hidden malware. Together, both campaigns generated $37.5 million between January 1 and mid-February 2026. Anyone who runs infected code on a company device puts the entire organization at risk.

Organizations should verify all software installation requests, scrutinize remote contributor identities, and treat unsolicited job offers with caution.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.