CrowdStrike reported on May 14, 2026, that North Korea-linked cyber actors stole an estimated $2.02 billion in digital assets during 2025, a 51% year-over-year increase and the highest annual total recorded for those operations. The firm said cumulative losses tied to DPRK-nexus activity have reached about $6.75 billion.
The surge reflects a more industrialized operating model. CrowdStrike described adversaries using AI-powered deception to lower the cost of identity fraud, reconnaissance and credential theft, compressing the time between initial access and asset exfiltration.
AI Raises the Speed and Scale of Crypto Theft
The largest single incident was attributed to PRESSURE CHOLLIMA, which CrowdStrike said stole $1.46 billion in cryptocurrency through trojanized software distributed via a supply-chain compromise. That event drove much of the annual total and marked the largest financial theft the firm has reported.
CrowdStrike also identified other North Korea-aligned clusters as increasingly adaptive. GOLDEN CHOLLIMA, FAMOUS CHOLLIMA and STARDUST CHOLLIMA were described as using tactics such as recruitment lures, AI-generated identities and fabricated video-conference environments, showing a broader shift from isolated hacks to repeatable intrusion pipelines.
Adam Meyers, CrowdStrike’s head of counter adversary operations, warned that defenders now face a reduced response window because adversaries are using AI to move through trusted paths faster than legacy systems can react. His core message was clear: defenders must meet AI with AI by pairing intelligence, detection and proactive hunting.
Exchanges and Custodians Face Higher Operational Risk
The report sharpens the risk profile around supply-chain compromise, identity abuse and cloud-environment intrusion. Larger, AI-augmented campaigns increase the probability of single-event losses large enough to affect liquidity, counterparties and client confidence.
Firms managing digital assets should prioritize AI-enabled detection, automated containment, stronger counterparty screening and rapid asset-freeze coordination to reduce the time between compromise and intervention.
A single breach can move hundreds of millions or more through laundering paths, creating mark-to-market, settlement and reputational risk for firms connected to compromised venues or wallets.
CrowdStrike’s findings make North Korea-linked cyber activity a continuing infrastructure-level concern for crypto markets. The practical takeaway is that custody, monitoring and incident response must now be designed for AI-accelerated attacks, not only conventional phishing or manual intrusion campaigns.
