Threat actors from DPRK are still one of the top risks for crypto. Nearly a year after the record-breaking Bybit hack, North Korean hackers are evolving their tactics.
DPRK hackers are still a threat to crypto, and they may be adding new approaches to infiltration. A year after the record-breaking Bybit hack, similar operations continue on a smaller scale.
Recent research by Elliptic found that the DPRK crypto asset operations continued, despite the bear market, with no signs of slowing down. The main attack vector was social engineering and various forms of infiltration.
The main difference is that DPRK hackers now move beyond simply infiltrating IT and crypto projects and create their own platforms. This approach was the main cause of the Tenexium incident, which directly hurt all users who connected their wallets.
As Cryptopolitan reported, hackers were also becoming more efficient and faster in moving and laundering their crypto hauls.
Bybit hack was an inflexion point for DPRK hackers
A year after the Bybit hack, almost all the funds have been laundered, with the exception of a small fraction that was intercepted. Elliptic noted the hackers used novel laundering tactics, including the strategic use of refund addresses, the creation of worthless tokens, and the diversified use of mixing services.
Over $1B of the Bybit funds were laundered in just six months, and that mixing toolset created an inflection point for DPRK hackers and their campaigns.
The hackers did not rest after the record-breaking windfall, but continued with an elevated pace for all of 2025. Elliptic tallied up $2B in DPRK hacks for 2025, and total exploits could be over $6B. The funds may be playing a role in North Korea’s nuclear weapons and missile programs, giving hackers a strong motivation to continue.
According to Elliptic, the trend continued in 2026, with double the number of exploits compared to January 2025.
While the DPRK hacks are technically sophisticated, they also rely on social engineering and human error.
Are DPRK hackers launching crypto products?
Elliptic reported the case of Tenexium, a project built within the Bittensor (TAO) network. The Tenexium project caused chaos on January 1, becoming the first hack for 2026.
Tenexium used the usual approach to building a permissionless project as part of Bittensor’s ecosystem. The relatively minor project still attracted liquidity, but at one point, the website disappeared, and the project market experienced suspicious outflows of $2.5M.
Tenexium was supposed to be a neutral trading protocol, but it turned out some of the project’s team may be made up of DPRK hackers posing as IT workers. What was different this time was that the DPRK IT persona may be the very founder of the project.
The identity of Tenexium’s creator has not been confirmed. However, the case raises the issue of smaller DeFi projects, vaults, and copycat permissionless apps. As Web3 tools are still alive, hackers may directly try to tap end users with poisoned apps, meme tokens, or other new launches. The best approach is to vet teams and platforms or use the more established DeFi hubs.