North Korea’s army of cyber operatives stole a record $2 billion in digital assets last year, fueled by the largest financial theft ever reported—$1.46 billion stolen in a single operation from crypto exchange Bybit.
The attackers pulled off the heist by compromising a software developer’s laptop at a third-party platform the Dubai-based Bybit relied on, and then stealing the developer’s credentials and ultimately draining the assets from the exchange, according to the FBI.
That $1.46 billion payload was the most spectacular strike in what turned out to be a record 2025. North Korea-linked cyber groups stole a combined $2.02 billion last year, up 51% year-over-year, according to a new CrowdStrike report shared with Fortune ahead of its release on Thursday. The stolen billions were almost certainly laundered and will be used to fund the regime’s military and nuclear weapons programs, the 2026 Financial Services Threat Landscape Report states.
With the success of 2025 in the rear view, operatives from the Democratic People’s Republic of Korea (DPRK) are zeroing in on the financial services industry, CrowdStrike found. The latest findings, which cover activity observed from April 2025 through March 2026, reveal that North Korean adversaries have become the most prevalent state-sponsored intrusion threat facing financial firms, consumer banks, and related providers in the financial services sector.
The percent of hands-on-keyboard break-ins, meaning real human attackers inside a financial institution’s network, grew 43% globally and 48% in North America over the past two years, CrowdStrike reported. Financial services jumped from being the sixth most-targeted sector in the first quarter of 2025 to the fourth most-targeted in the first quarter of 2026 behind tech, consulting and professional services, and manufacturing.
And the DPRK’s tried-and-true scheme involving North Korean IT workers pretending to be American job seekers doubled the volume of its attacks in 2025, according to CrowdStrike, making it the most active North Korea-linked form of attack the firm tracks. The IT worker operation, in which thousands of North Korean men trained in software development are stationed in China, Russia, and other locations, functions by using American identities to land remote tech jobs at American and European companies.
The scheme has been so successful, law enforcement has created a joint FBI-National Security Division task force to disrupt the operations and have dealt a series of harsh prison terms to American accomplices who have willingly aided the North Koreans.
A Nashville laptop farm and New York recruiting front
Generally, the IT workers running the employment scam fabricate résumés and software development profiles using stolen identities to appear legitimate—or they recruit American accomplices to rent out their names to the workers in exchange for quick cash and sometimes a recurring cut of the proceeds. The IT workers take their salary, often earned doing real work, and then send most of the money back to the DPRK where authoritarian ruler Kim Jong-Un uses it to fund the country’s nuclear weapons program. In some cases, the IT operatives share intelligence with the DPRK’s malicious hacking army to help steal data or organize additional theft.
This month, two American men were sentenced to 18 months in federal prison each for operating “laptop farms” and helping North Korean IT workers get remote jobs at nearly 70 American companies in separate schemes that generated more than $1.2 million for the DPRK. The term laptop farm refers to the setups the accomplices create after fraudulently accepting laptops from companies and installing software and remote desktop applications to shield the IT workers identities’ and help funnel their salaries.
Matthew Isaac Knoot ran a laptop farm out of his Nashville home between July 2022 and August 2023, court records show, and helped the North Korean scheme with jobs at four companies that paid more than $250,000 for IT work. Most of the money was reported to the IRS and Social Security Administration in the name of a real person whose identity was stolen. Knoot helped transfer the salary to accounts outside the U.S. and into accounts associated with North Korean and Chinese operatives, the DOJ said.
In addition to 18 months in prison, Knoot was ordered to pay $15,100 in restitution to victim companies and forfeit another $15,100, which is what the DPRK IT workers paid him for his help in the scheme.
A New York man, Erick Ntekereze Prince, was also sentenced to 18 months for laptop farming. Prince pleaded guilty to wire-fraud conspiracy and was ordered to forfeit the $89,000 DPRK IT workers paid him. According to authorities, Prince worked in the scheme from June 2020 through August 2024 and used his recruiting firm, Taggcar Inc., to direct “certified” IT workers to U.S. companies. He also kept U.S. company laptops at his New York home and installed remote access software so the IT workers could appear as though they worked from his residence.
The DOJ said Prince was part of a scheme that, in total, obtained work from 64 U.S. companies that paid more than $943,069 in salary payments. Four others were charged in the scheme, including Emanuel Ashtor and Pedro Ernesto Alonso de los Reyes. Ashtor awaits trial and de los Reyes is in custody in The Netherlands, authorities said. Two others charged, Jin Sung-il and Pak Jin-Song, are North Korean and remain at large. Ashtor’s lawyer did not immediately respond to a request for comment and de los Reyes could not be reached.
The Knoot and Prince sentencings bring the total number of Americans sent to prison for working as accomplices to at least nine since last year.
‘Golden unicorns’
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said last year he investigated about one DPRK-related attack a day, and this year it’s closer to two. In the month of March 2025, CrowdStrike identified 33 insider threat operations linked to Famous Chollima, CrowdStrike’s term for the North Korean IT worker scheme. In March 2026, Meyers said CrowdStrike identified 45 operations.
The IT workers strike opportunistically, said Meyers, so if there’s a job opening posted online, they’ll just go for it with the goal of getting as many jobs as possible. He described the operation as “high tempo, low sophistication.” However, the DPRK operatives have become highly skilled at appearing to recruiters as “golden unicorn” job applicants that are irresistible to hiring teams, he added.
“Their job is to make revenue for the weapons program of North Korea,” said Meyers. “So they are going to do whatever they can in terms of finding jobs.”
The UN has pegged the DPRK’s IT worker revenue generation at $250 million to $600 million per year. The UN’s Multilateral Sanctions Monitoring Committee, which tracks DPRK sanctions violations and evasion tactics, revealed at its latest meeting in January that the scheme has now victimized 40 countries around the globe.
The DPRK threat is compounded by the fact that traditional financial institutions, an increasingly prevalent target, have pushed further into digital asset services and crypto in recent years, an area North Korean operatives have deep experience working to exploit.
In the fourth quarter of 2025 alone, a North Korea-linked group that CrowdStrike calls “Stardust Chollima,” tripled the pace of its attacks, targeting at least 21 crypto and fintech firms across North America, Europe, and Asia in a single two-month period.
That scheme involved operatives impersonating recruiters and executive search consultants on LinkedIn and Telegram and then sending unwitting job-seeking targets standard technical coding tests laced with malware.
The attackers used AI to generate fabricated people and video-conference environments by using images and videos of real executives and offices to make job seekers believe the sham interviews, CrowdStrike found.
The hard way
Meyers said traditional financial institutions should absorb the “hard lessons” the crypto industry has taken in—sometimes at enormous cost.
“They need to make sure they follow best practices in terms of things like having cold storage versus hot storage,” Meyers said, referring to security protocols for offline digital assets versus connected wallets. “Making sure that you have multi-factor authentication, making sure that you have multiple control factors in place in terms of authorizing transfers” and steadfast defensive measures will help guard financial institutions.
CrowdStrike’s report assessed that the DPRK cyber operations targeting consumer banks and other financial services firms will intensify through 2026, driven by international sanctions and the need to fund North Korea’s military and weapons programs.
Meyers said protecting against the intrusions is a constant battle and as companies tighten their defenses, operatives will shift tactics. And then the cycle begins again.
“It’s a constant battle to stop them from being successful,” said Meyers. “Companies really need to look at those lessons learned and make sure they’ve learned them—before they learn them the hard way.”
