A North Korean Foreign Ministry spokesperson rejected Washington's claims on Sunday, saying the US was fabricating a "nonexistent cyber threat" for political purposes. The statement also warned that Pyongyang would "actively take all necessary measures" to defend its interests in cyberspace. The denial came weeks after fresh US Treasury sanctions in March 2026 and a Justice Department sentencing in April tied to a North Korean IT worker infiltration scheme targeting American companies.

The US government's case is backed by a growing body of on-chain evidence. In March 2026, the Treasury Department's Office of Foreign Assets Control (OFAC) designated six North Korean individuals and two entities connected to IT worker fraud, citing roughly $800 million in revenue generated for Pyongyang's weapons programmes in 2024 alone. That designation included 21 cryptocurrency addresses spanning multiple blockchains. Separately, two American nationals were sentenced in April 2026 for placing North Korean workers on the payrolls of more than 100 US companies, including Fortune 500 firms and a defence contractor, by concealing their identities and posing national security risks in the process.

The scale of North Korea's crypto operations dwarfs typical cybercrime. According to Chainalysis, North Korean actors stole $2.02 billion in cryptocurrency in 2025, a 51 percent increase over the prior year, and accounted for 76 percent of all service-level exchange breaches globally that year. The largest single incident was the February 2025 theft of approximately $1.5 billion in ether from Dubai-based exchange Bybit, which the FBI attributed to the Lazarus Group, North Korea's best-known state-linked hacking unit. Attackers compromised Safe{Wallet}, a third-party multisig wallet provider, through social engineering, stealing AWS session tokens and bypassing MFA controls before manipulating what Bybit employees saw on screen during transaction approvals to redirect funds to attacker-controlled wallets.

According to CoinDesk and TRM Labs, roughly 85 percent of those stolen funds were laundered through THORChain, a decentralised cross-chain swap protocol with no identity verification requirements. The laundering route has drawn sustained scrutiny: a THORChain developer resigned amid the controversy in early 2025, and protocol operators have consistently refused to freeze or reject DPRK-linked transactions despite FBI requests.

North Korea's 2026 activity has continued at pace. Two attacks in April alone pushed its year-to-date total to $577 million, again representing 76 percent of all crypto hack value globally for the year. On April 1, attackers drained $285 million from Drift Protocol, a Solana-based decentralised trading protocol, in roughly 12 minutes across 31 withdrawals. TRM Labs attributed the attack to a North Korean group separate from TraderTraitor and noted three weeks of on-chain staging and months of social engineering against protocol signers before the theft executed. Investigators also found that attackers exploited Solana's durable nonce feature in combination with a zero-timelock Security Council migration executed on March 27, demonstrating a shift toward targeting governance-layer vulnerabilities rather than smart-contract code alone.

Two weeks later, on April 18, approximately $292 million in a liquid restaking token called rsETH was stolen from KelpDAO after attackers compromised internal RPC nodes via a DDoS attack and exploited the platform's single-verifier bridge design. Arbitrum's Security Council froze $75 million of those funds, but $175 million had already been converted to bitcoin and routed primarily through THORChain. On-chain investigators traced attacker funding to Wu Huihui, a Chinese crypto broker indicted in 2023 for laundering Lazarus proceeds, confirming that Chinese broker networks remain a core part of Pyongyang's cash-out infrastructure.

The impact extends well beyond the United States. In India, approximately 16 million users of WazirX, then the country's largest crypto exchange, had their balances frozen after a July 2024 Lazarus Group attack stole $234.9 million from the platform. WazirX did not resume operations until October 2025, returning roughly 85 percent of user funds after a restructuring process. The breach rattled retail confidence in crypto across one of the world's largest user markets by population. North Korean IT workers have also been physically deployed to African countries including Nigeria, Tanzania, Equatorial Guinea, and Guinea, according to UN monitoring reports, embedding operatives in local technology sectors. A January 2026 US State Department bulletin separately warned that IT worker operations extended across Vietnam, Laos, and the broader Asia-Pacific region.

Exchanges across South Asia and Africa that operate with lighter identity verification infrastructure face secondary exposure under US OFAC rules, according to compliance analysts, if their systems processed transactions connected to stolen funds without detection.

"North Korean state-sponsored hackers steal and launder money to fund the regime's nuclear weapons program," the US Treasury stated in a 2025 OFAC statement. The FBI, in its public advisory on the Bybit attack, warned that actors were "proceeding rapidly" to disperse assets "across thousands of addresses on multiple blockchains."

North Korea's statement did not address any specific on-chain attribution findings. Its Foreign Ministry framed the entire subject as a violation of sovereignty: "It is our consistent policy position to thoroughly oppose and reject any impure attempt to use cyber issues as a political tool for violating sovereignty and interfering in internal affairs."

Regulators are unlikely to ease pressure. Compliance analysts expect the combined US and UN crackdown on DPRK-linked flows to accelerate global compliance requirements for virtual asset service providers. The threat landscape is also evolving at the operator level: as of April 2026, the Lazarus Group has been observed running a macOS-targeting campaign dubbed "Mach-O Man," using fake meeting invitations and ClickFix social engineering to target cryptocurrency and fintech executives directly. For markets like India, where crypto legislation remains unsettled, and Nigeria, where crypto-related capital controls remain a live issue, increased international scrutiny of DPRK-linked flows could accelerate stricter local compliance frameworks regardless of how Pyongyang characterises the accusations.