North Korea Laundered 76% of All Stolen Crypto in 2026

Executive Summary

North Korean state-backed hackers laundered 76% of all stolen cryptocurrency globally in 2026 — approximately $2.3 billion — according to blockchain analytics firm Chainalysis. The figure represents a sharp increase from 60% in 2025 and underscores Pyongyang's growing reliance on crypto theft to fund its weapons programs. Chainalysis attributed the majority of the activity to the Lazarus Group and its sub-cluster BlueNoroff, which have adopted AI-generated deepfake calls and personalized fake job offers to bypass exchange know-your-customer (KYC) controls.

Technical Analysis

Chainalysis's 2026 Crypto Crime Report, reviewed by Dark Reading, identified a shift in laundering methodology. In prior years, North Korean operators relied on mixing services and peer-to-peer exchanges. In 2026, they increasingly used cross-chain bridges and decentralized finance (DeFi) protocols that lack robust identity verification. The report notes that AI-generated deepfake video calls — impersonating recruiters or venture capitalists — were used to trick exchange compliance officers into approving large withdrawals from flagged wallets.

BlueNoroff specifically targeted Ethereum-based liquid staking tokens and Solana DeFi pools, exploiting smart contract vulnerabilities to drain liquidity before the transactions could be flagged. Chainalysis documented at least 14 separate heists exceeding $50 million each in 2026, compared to 9 in 2025. The largest single theft — $620 million from a South Korean exchange — was traced to a Lazarus-controlled wallet within 48 hours, but the funds had already been bridged to multiple chains and converted to privacy coins.

The report also highlights the use of AI-powered social engineering at scale. Threat actors scraped LinkedIn and GitHub profiles to identify exchange employees with access to hot wallets, then deployed deepfake voice calls mimicking C-suite executives to authorize transfers. Chainalysis analysts stated that the technique was "notably effective" against exchanges that had recently implemented AI-based fraud detection — the deepfakes bypassed legacy voice biometric systems.

Mitigations & Recommendations

Chainalysis recommends that cryptocurrency exchanges implement multi-factor authentication for all withdrawal approvals that includes out-of-band verification (e.g., a physical token or in-person confirmation). Exchanges should also deploy on-chain anomaly detection that flags cross-chain bridge activity from wallets previously associated with known Lazarus infrastructure. For DeFi protocols, the report advises time-locked withdrawals for liquidity pools exceeding $10 million, giving analysts a window to freeze stolen assets before they are bridged.