CrowdStrike: DPRK hackers stole $2.02B in crypto in 2025

CrowdStrike’s 2026 Financial Services Threat Landscape Report states that North Korea-linked actors stole $2.02 billion in cryptocurrency in 2025, a 51% increase from 2024. The security firm links the funds to the Democratic People’s Republic of Korea’s military programs.

The report attributes the rise to greater use of artificial intelligence to create fake professional identities and automate reconnaissance and credential theft. CrowdStrike identifies two DPRK-linked clusters expanding their operations: FAMOUS CHOLLIMA and STARDUST CHOLLIMA.

FAMOUS CHOLLIMA roughly doubled its activity by deploying AI-generated identities to infiltrate crypto exchanges, fintech firms and retail banks. STARDUST CHOLLIMA created AI-crafted recruiter accounts and simulated video meeting environments to lure employees at fintech companies across North America, Europe and Asia.

CrowdStrike recorded 423 financial-services victims listed on dedicated leak sites during the reporting period, a 27% year-over-year increase. Human-operated intrusions-described as hands-on-keyboard attacks-rose 43% globally, with a 48% jump in North America. By the first quarter of 2026, North America accounted for more than half of sector intrusions. The report places the financial industry as the fourth-most-targeted sector, representing 12% of recorded hostile activity.

Independent blockchain investigators linked roughly $577 million in stolen funds to DPRK-related incidents involving Drift Protocol and KelpDAO through April 2025. North Korea’s state news agency, KCNA, rejected responsibility for the cyber activity.

CrowdStrike describes social engineering as a primary attack vector. Attackers used fabricated professional profiles and staged meetings to obtain employee credentials or payment authorizations. Once inside networks, intruders moved funds, deployed ransomware or accessed customer data.

Adam Meyers, CrowdStrike’s head of counter adversary operations, warned that AI has lowered the cost of creating convincing identities and automating credential theft, making such campaigns easier to scale.

The report also documents continued ransomware and espionage affecting banks and fintechs. Leak sites have been used to publish stolen data and to pressure victims. CrowdStrike recommends stepped-up identity verification, stronger multi-factor authentication and targeted threat hunting to detect signs of human-operated intrusions and synthetic identities.

Attribution remains contested in public forums: private security firms and blockchain trace analysis link specific stolen funds to DPRK-controlled entities, while official North Korean statements deny the allegations. The report covers activity through 2025 and includes intrusion trends extending into early 2026.