---

North Korea's Foreign Ministry rejected US accusations of state-sponsored cryptocurrency theft on May 4, 2026, calling them "absurd slander" in a statement carried by state media outlet Korean Central News Agency (KCNA). The denial comes as blockchain intelligence firms Chainalysis and TRM Labs have independently traced more than $6.75 billion in crypto theft since 2017 to North Korean operatives, with $577 million stolen in the first four months of 2026 alone.

The Denial and What It Contradicts

Pyongyang's Foreign Ministry accused Washington of running a politically motivated smear campaign. "The United States is trying to spread a distorted perception of our country by using government agencies, compliant media outlets and plot-making organizations to talk about a nonexistent cyber threat from us," the ministry said, according to UPI. The ministry also stated its position directly: "It is our consistent policy position to thoroughly oppose and reject any impure attempt to use cyber issues as a political tool for violating sovereignty and interfering in internal affairs."

The denial contradicts a substantial body of forensic blockchain analysis. The FBI formally attributed the February 2025 theft of approximately $1.5 billion in Ethereum from exchange Bybit to a North Korean group it calls TraderTraitor, also known as the Lazarus Group and designated APT38 in some government and policy documents. That single attack was the largest single crypto heist in history at the time of the attack. Bybit CEO Ben Zhou confirmed on March 20, 2025, according to reporting by Chainalysis and Elliptic, that attackers converted roughly 86 percent of the stolen ETH into Bitcoin as part of their laundering process.

Two Major Attacks in April 2026

North Korean operatives did not slow down after Bybit. TRM Labs attributed two additional large-scale thefts to the same threat cluster in April 2026. On April 1, hackers drained $285 million from Drift Protocol by exploiting a feature of the Solana blockchain called durable nonces, a signing mechanism that allows transactions to be prepared in advance. Blockchain records show the attackers spent more than three weeks conducting on-chain preparation before executing the theft.

On April 18, KelpDAO and the LayerZero cross-chain bridge lost $292 million after attackers compromised a single bridge verifier node, a component that confirms transactions between different blockchains. Investigators say the attackers first disabled internal RPC (Remote Procedure Call) nodes using a distributed denial-of-service attack before exploiting the verifier. Roughly $75 million of those funds were frozen on the Arbitrum Layer 2 network through rapid coordination between security teams. Approximately $175 million was converted to Bitcoin through THORChain, a decentralized exchange that processes cross-chain swaps without identity verification requirements.

Together, these two April attacks contributed to $577 million in total DPRK-linked theft through April 2026, a figure that represents 76 percent of all crypto hack losses globally across that period, according to TRM Labs.

The Laundering Playbook

Researchers at TRM Labs and Chainalysis have documented a consistent laundering pattern across DPRK-linked heists. In the first five days after a theft, activity on decentralized finance protocols surges roughly 370 percent and use of cryptocurrency mixing services increases by 135 to 150 percent. Between days six and ten, funds shift toward exchanges with limited identity verification requirements, with limited-KYC exchange usage rising approximately 37 percent and centralized exchange activity increasing around 32 percent. By the end of a roughly 45-day cycle, no-KYC exchange usage surges approximately 82 percent and Chinese-language platform activity rises around 45 percent, before funds reach final liquidation through Chinese intermediary networks.

THORChain has appeared as a central piece of infrastructure across the Bybit, Drift, and KelpDAO incidents. The protocol's governance has faced pressure from the wider crypto security community to implement sanctions screening. As of publication, no confirmed governance vote or formal public resolution adopting such controls has been recorded, though the debate within the THORChain community remains active.

North Korea's IT Worker Scheme: A Parallel Threat Vector

Beyond direct exchange hacks, North Korean operatives have deployed a parallel revenue stream through fraudulent IT employment. Investigators have identified 29 so-called laptop farm operations across 16 US states, in which North Korean nationals or their proxies pose as remote software developers to gain employment at technology companies. More than 136 US companies have been affected. The scheme carries direct operational risk for Web3 developers in South Asia working for international firms: social engineering tactics used in the IT worker scheme closely mirror the initial access techniques documented in the Bybit and KelpDAO incidents. Developers onboarding new remote contractors or open-source contributors to cross-chain projects represent a specific target population.

Why This Matters Outside the United States

For developers and exchanges in South Asia and Africa, this story carries direct operational relevance. In India, regulators have implemented the FATF Travel Rule with no minimum transaction threshold, meaning all crypto transfers on licensed platforms must carry sender and recipient information. The Finance Bill 2025 expanded the definition of regulated digital assets starting April 1, 2026, which tightens the potential for using Indian exchanges as laundering intermediaries.

However, India's crypto oversight remains split across multiple regulators including the Financial Intelligence Unit, the Reserve Bank of India, and SEBI, with no single coordinating authority. Security researchers warn that this fragmentation creates potential gaps that sophisticated state-level actors can exploit.

Across Africa, exchanges processing stablecoin volumes without robust on-chain monitoring face particular exposure. FATF's June 2025 compliance update flagged persistent gaps in virtual asset service provider regulation across emerging markets. The precedent of Huione Pay, a Cambodian payment processor that handled millions in DPRK-linked funds before US pressure forced its delicensure, applies directly to similar fintech infrastructure operating in Nigeria, Kenya, and Ghana.

Regional media coverage of the KelpDAO attack, including reporting by PhotoNews Pakistan, reflects growing awareness across South Asia of the direct exposure these incidents create for local platforms and developers.

Exchange operators in South Asia and Africa can access near-real-time intelligence through the Beacon Network, a consortium of more than 30 major exchanges including Binance and Coinbase that enables cross-platform alerts for DPRK-linked fund flows. Coordination with Beacon Network participants represents a practical first step for compliance teams at regional platforms seeking to identify tainted funds before they are processed.

Web3 developers building cross-chain applications in both regions should note that the KelpDAO attack succeeded not through user error but through a single point of failure at the protocol level. According to TRM Labs, security audits that assess bridge verifier design and the use of durable nonces are now a practical minimum for any multi-chain project.

What Comes Next

The US Justice Department has secured five guilty pleas and more than $15 million in civil forfeitures tied to North Korean IT worker fraud and crypto theft schemes. In March 2026, the Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities for facilitating those operations, including a Vietnam-based facilitator who converted roughly $2.5 million into crypto for the regime.

North Korea's denial changes nothing about the evidentiary record, but it does signal that Pyongyang views the international pressure campaign as a reputational threat worth contesting publicly. With cumulative DPRK crypto theft now exceeding $6.75 billion, and 2025 alone producing a 51 percent year-over-year increase in stolen funds alongside a 74 percent reduction in the number of known attacks, the threat picture points toward fewer but far more sophisticated and high-value operations. The trajectory suggests the attacks will continue regardless of diplomatic posturing in either direction.