Crypto Infrastructure Company Blames $290 Million Theft on North Korean Hackers

A major cryptocurrency infrastructure company has formally attributed a $290 million theft to North Korean state-sponsored hackers, adding to mounting evidence of a coordinated campaign by DPRK-linked groups against the crypto industry in April 2026.

The attribution comes as multiple prominent cryptocurrency platforms grapple with the aftermath of a wide-ranging operation that researchers have linked to North Korea's Lazarus Group and associated threat clusters. The scale and coordination of the campaign underscore the persistent and growing threat that DPRK-linked threat actors pose to the crypto sector.

Attribution and Evidence

Blockchain security researchers and the affected company's own incident response team identified multiple technical and behavioral indicators linking the theft to North Korean operatives:

The Broader Campaign

The theft is not an isolated incident. Multiple crypto platforms reported significant security incidents in April 2026, with researchers attributing several to DPRK-linked actors. The pattern suggests a coordinated campaign rather than opportunistic attacks:

• North Korean hackers have refined their methodology from direct smart contract exploitation to targeting the human and operational security layer — compromising developer machines, key management systems, and insider access
• The $290M theft follows a $280–285 million heist from Drift in early 2026 that was traced to a six-month in-person social engineering operation by DPRK operatives
• Blockchain analytics firms estimate DPRK-linked hackers have stolen over $1.5 billion in cryptocurrency in 2024 alone

North Korea's Crypto Funding Machine

The U.S. government has repeatedly identified cryptocurrency theft as a primary mechanism for North Korea to fund its weapons programs and evade international sanctions. The systematic nature of DPRK crypto operations reflects a state-directed enterprise rather than typical financially motivated cybercrime:

Strategic Goal: Fund DPRK regime programs (ballistic missiles, nuclear development)
Execution Model: Lazarus Group + affiliated clusters operating as state-directed units
Annual Capacity: Estimated $1–2 billion+ per year in crypto theft
Target Selection: DeFi protocols, crypto exchanges, infrastructure providers with high TVL

The UN Panel of Experts and multiple Western intelligence agencies have documented DPRK's crypto theft apparatus, which employs thousands of IT workers and dedicated hacking units.

Industry Response

Following the disclosure, the affected company has:

• Suspended relevant operations while the investigation continues
• Engaged blockchain security firms to trace stolen funds
• Coordinated with centralized exchanges and law enforcement to freeze associated addresses

The FBI, CISA, and Treasury's OFAC have all issued guidance on protecting crypto assets from DPRK-linked threat actors. Organizations in the crypto sector managing significant on-chain liquidity should treat DPRK threat actor profiles as mandatory risk management reading.

Key Takeaways

1. North Korean state-sponsored hackers continue to target the crypto industry at scale — the $290M theft is consistent with DPRK's documented operational pattern
2. The April 2026 campaign targeted multiple prominent platforms, suggesting coordinated operations across multiple DPRK-linked teams
3. Modern DPRK crypto attacks increasingly target off-chain components (developer machines, key holders, HR processes) rather than on-chain bugs alone
4. Organizations should assume sophisticated, patient adversaries — the Drift hack involved six months of in-person social engineering before execution
5. Response time is critical: rapid coordination with exchanges can freeze stolen funds before laundering is complete

Source: The Record — Crypto infrastructure company blames $290 million theft on North Korean hackers