DPRK-Linked Hackers Continue Aggressive Crypto Attacks One Year After Bybit Breach

DPRK-linked hackers are ramping up aggressive crypto attacks a year after the Bybit breach, which resulted in a $1.46 billion theft.

DPRK-Linked Hackers Continue Aggressive Crypto Attacks One Year After Bybit Breach

One year has passed since the monumental Bybit breach, where North Korean hackers stole approximately $1.46 billion in cryptocurrencies from the Dubai-based exchange. Unfortunately, rather than retreating, these DPRK-linked operators have intensified their focus on the crypto sector. As of February 2026, their activities have shown no signs of abating, with recent data confirming a sharp uptick in attacks since the breach.

What Happened During the Bybit Breach?

On February 21, 2025, the record-breaking theft from Bybit unveiled the vulnerabilities within the cryptocurrency ecosystem. This incident not only solidified North Korea's position as a major player in crypto crime but also highlighted the potential for extensive financial damage within the sector. By late summer 2025, more than $1 billion of the laundered funds had already been filtered through a myriad of channels, including refund addresses and crypto-mixing services.

How Much Crypto Have DPRK Hackers Stolen Since Then?

The aftermath of the Bybit breach indicated a marked increase in the DPRK's cybercriminal operations. According to Elliptic, a blockchain analytics firm, these actors amassed a staggering $2 billion in the entirety of 2025, elevating their cumulative crypto haul to over $6 billion. These funds are believed to play a significant role in underwriting North Korea's nuclear and missile programs, making their illicit operations a strategic revenue stream for the regime.

What Tactics Are They Using to Target Crypto?

While sophisticated technical exploits enable the theft of cryptocurrencies, DPRK-linked hackers have increasingly relied on social engineering to gain initial access to their targets. Two specific campaigns, dubbed DangerousPassword and Contagious Interview, have emerged as prominent threats, raking in $37.5 million since the beginning of 2026 alone.

In the DangerousPassword campaign, hackers leverage compromised social media accounts to lure victims. They often initiate contact with a seemingly innocuous real-world pretext before escalating to video calls on platforms such as Zoom or Microsoft Teams. During these calls, victims are tricked into executing command-line codes that secretly install malware to harvest private keys and credentials.

Meanwhile, the Contagious Interview campaign manifests through fake job offers and technical tests that lead unsuspecting candidates to download malware-laden software. These attacks expose not just the individuals but often entire organizations that use affected devices connected to their networks.

How Are They Infiltrating Organizations?

Beyond these active campaigns, another troubling trend involves DPRK nationals posing as freelancers or remote developers to infiltrate legitimate crypto projects. They perform credible work while covertly compromising their colleagues' devices. This infiltration strategy frequently involves employing fabricated identities and "rented" laptops situated in safe jurisdictions to circumvent basic KYC checks.

Are They Developing Their Own Crypto Projects?

In a concerning shift, DPRK operators appear to be moving beyond just infiltrating existing crypto ecosystems. Recent developments linked to the Bittensor-associated project, Tenexium, suggest that hackers may be working towards building and weaponizing their own protocols. On January 1, 2026, Tenexium's website mysteriously went offline, timed with a significant liquidity drain of around $2.5 million from its treasury wallet.

This transition from infiltration to creating their own projects poses a new threat landscape for the cryptocurrency community, raising alarms about the potential for future malicious exploits.

What Should Crypto Traders Be Aware Of?

The ongoing activities of DPRK-linked hackers underscore the need for enhanced security measures within the crypto industry. As social engineering scams grow more sophisticated, crypto traders and developers should remain vigilant and practice cybersecurity best practices, especially when engaging with new projects or job offers.

Marketplaces like Bybit, Binance, and others are popular exchanges through which many engage in trading. As always, it's crucial to exercise caution and assess the legitimacy of platforms, especially in light of increasing cyber threats.

  • DPRK-linked hackers have intensified crypto attacks since the Bybit breach a year ago.
  • North Korea's cyber operations have generated over $6 billion in total from crypto thefts, supporting military programs.
  • Social engineering tactics, such as DangerousPassword and Contagious Interview, have escalated, harvesting millions for DPRK.
  • DPRK nationals are increasingly infiltrating legitimate projects, using fake identities to gain access to internal systems.
  • Potential new projects created by DPRK linkages, like Tenexium, could pose future threats to the crypto ecosystem.

As the threat landscape continues evolving, staying informed and cautious is your best defense against falling victim to these sophisticated cyber operations.