North Korea Captures 60% of 2025 Crypto Losses via Physical Infiltration
When state-sponsored actors shift from remote hacks to physical infiltration, the entire security model underpinning regulated tokenization infrastructure needs to be rebuilt from the inside out.
$2.06 billion. That is the amount North Korea-linked operatives stole from the crypto industry in 2025, according to CertiK's Skynet analysis [1]. That figure represents roughly 60% of every dollar lost across the entire sector that year [1]. The Bybit hack alone exceeded $1.5 billion [2]. One incident. One target. More money than most sovereign wealth funds deploy in a single quarter into alternative assets. These are not rounding errors. They are a signal about what state-sponsored financial crime looks like in 2025 and what it means for every institution now building regulated tokenization infrastructure.
The Thesis
The security model underpinning tokenized finance was built to stop external attackers. Smart contract audits, multi-signature wallets, on-chain monitoring, cryptographic key management. All of it assumes the threat is outside the building. CertiK's findings document that the threat has moved inside. That changes the compliance calculus for every tokenization platform, custodian, and institutional allocator in the sector. The firms that price this correctly will earn regulatory trust. The ones that do not will face the consequences when the first confirmed insider breach hits a named tokenization middleware provider.
The Signal: What CertiK's Numbers Actually Say
CertiK is not a small research shop. The firm was founded by professors from Yale and Columbia and operates one of the largest Web3 security monitoring networks in the industry. When its Skynet analysis attributes $2.06 billion in 2025 crypto losses to North Korea-linked actors, that number carries weight [1].
The 60% figure is the part that deserves the most attention [1]. Total crypto losses across the sector in 2025 came to approximately $3.4 billion [1]. North Korea-linked groups accounted for more than half of that. This is not a case of one lucky exploit. CertiK documents a systematic, industrialized approach to crypto theft, with proceeds used to fund the DPRK's nuclear and ballistic missile programs [3].
The Bybit hack is the anchor data point. That single incident, widely attributed to North Korea-linked actors, exceeded $1.5 billion [2]. It is the largest single crypto theft on record. It was not accomplished by guessing passwords or exploiting a smart contract bug. The attack vector involved social engineering and, according to reporting at the time, manipulation of internal approval workflows. That is a human problem, not a code problem.
CertiK's report documents a deliberate tactical evolution [1]. These groups have shifted away from remote exploits and phishing campaigns toward physical infiltration of target organizations. In plain terms, that means placing personnel inside firms. Getting people hired. Obtaining legitimate credentials. Then using those credentials to bypass every digital control the firm has built. The digital perimeter is no longer the perimeter.
The trend is not slowing. TRM Labs reports that in 2026, North Korean hackers have already accounted for 76% of all crypto hack value, achieved with just two attacks [4]. The concentration of capability is increasing, not decreasing.
Why the Old Security Model Breaks Here
Tokenization infrastructure has been built around a specific threat model. The assumption is that the attacker is external. They are trying to find a bug in a smart contract, intercept a transaction, or phish a private key out of an employee's inbox. The controls designed to stop that attacker are well understood. Smart contract audits from firms like CertiK or Trail of Bits. Multi-signature approval requirements that need several keyholders to authorize a transaction. On-chain monitoring that flags unusual activity in real time. Hardware security modules that store cryptographic keys in tamper-resistant physical devices.
These are all good controls. They are also largely irrelevant against a credentialed insider.
An employee with legitimate system access does not need to find a bug. They already have the keys, or access to the process that generates them. They do not need to intercept a transaction. They can initiate one. Multi-signature requirements can be defeated if the insider has cultivated relationships with multiple keyholders, or if they have manipulated the internal approval workflow before the transaction ever reaches the signing stage. On-chain monitoring flags anomalies. An insider who understands the monitoring thresholds can stay below them.
This is not hypothetical. The Bybit incident demonstrated exactly this failure mode at scale [2].
For firms building regulated tokenization infrastructure, the stakes are higher than for a typical crypto exchange. Tokenized securities are digital representations of real assets: bonds, fund shares, real estate interests, private credit instruments. The custody frameworks being built around these assets are designed to satisfy securities regulators, not just crypto-native compliance teams. The SEC, the OCC, and their equivalents in the UAE, UK, and EU have well-developed standards for custody of traditional securities. Those standards include insider threat programs, background verification, access tiering, and separation of duties.
Digital asset custodians are not yet held to the same bar. That gap will close. And when it does, firms that have not built a human security layer alongside their technical one will face regulatory exposure they are not prepared for.
The asset tokenization market has grown sharply. Recent data puts the market at $50.37 billion, up 170% [5]. The Bank of Korea projects the sector could reach $2 to $4 trillion by 2030 [5]. At that scale, a single confirmed insider breach at a named tokenization middleware provider, a Securitize, a Fireblocks, an Anchorage Digital, would not just hurt that firm. It would set institutional adoption back by years.
The Regulatory Exposure Nobody Is Talking About Yet
The regulatory conversation around digital asset custody has focused almost entirely on technical controls. Which cryptographic standards are acceptable. How keys should be stored. What on-chain audit trails are required. These are important questions. They are also the easier questions, because the answers are largely technical and auditable.
Insider threat is harder. It requires firms to ask uncomfortable questions about their own people. Who has access to what. How access is granted and revoked. What happens when an employee leaves. Whether background verification is rigorous enough to catch a state-sponsored actor who has been trained to pass it.
Traditional financial custodians, the BNY Mellons and State Streets of the world, have answered these questions for decades. They have compliance programs, separation of duties requirements, dual-control procedures, and regular audits of access logs. These programs exist because regulators demanded them after insider fraud cases in traditional finance.
Digital asset custodians are operating in a gap. The technical controls are scrutinized. The human controls are not, at least not yet. CertiK's 2025 findings give regulators clear grounds to close that gap [1]. The SEC's ongoing work on digital asset custody guidance and the OCC's evolving posture on bank-held digital assets both represent potential vectors for new insider threat requirements.
The legal system is already responding in adjacent ways. A Manhattan federal judge recently cleared a path for Aave to move $71 million in ETH linked to a North Korea-connected exploit [6]. That case illustrates that courts are now actively engaging with the downstream consequences of state-sponsored crypto theft. Regulatory guidance is likely to follow.
Reputational exposure is immediate and does not wait for regulation. One confirmed insider breach at a tokenization platform handling regulated securities would generate headlines that no compliance team wants to manage. Institutional allocators who have underwritten that platform's operational controls would face questions from their own investors. The reputational contagion would spread well beyond the breached firm.
Who Should Care and What They Should Do
Three roles face the most direct exposure from this shift.
If you are a tokenization platform founder: your next security review needs a human layer, not just a code layer. Smart contract audits are necessary. They are not sufficient. Background verification for anyone with access to key management systems should be rigorous and ongoing, not a one-time onboarding checkbox. Access tiering should be strict. The number of people who can touch private keys or approval workflows should be as small as operationally possible. Hardware-enforced key management, where cryptographic keys are stored in tamper-resistant physical devices that cannot be exported, should be baseline infrastructure, not a premium option. Zero-trust architecture, where no user or system is trusted by default even inside the organization, should be the design principle, not an aspiration.
If you are an institutional allocator underwriting tokenization infrastructure: insider threat risk belongs in your operational due diligence checklist. Today, most ODD frameworks for tokenization platforms focus on smart contract risk, custody counterparty risk, and regulatory licensing. Those are the right questions. Add one more category: human access controls. Ask to see the insider threat policy. Ask how access is granted and revoked. Ask what the separation of duties looks like for key management. If the platform cannot answer these questions clearly, that is a data point about operational maturity.
If you are a compliance officer at a digital asset custodian: your regulators will ask about this. An insider threat policy that predates CertiK's 2025 findings is already behind the curve [1]. Get ahead of it. Document your controls. Map your access tiers. Run a tabletop exercise that assumes the attacker already has legitimate credentials. The firms that do this proactively will be in a better position when the regulatory guidance arrives than the ones who wait to be asked.
Counter-Narrative
The skeptic position is reasonable. Most crypto losses, even large ones, have historically been traced to smart contract bugs or phishing, not physical infiltration. CertiK's framing of a "deliberate tactical shift" toward physical infiltration may overstate the evidence. The Bybit hack involved social engineering of a software supply chain, which is a sophisticated remote attack, not an employee walking out with a USB drive. Critics would argue that the industry's existing technical controls, if properly implemented, are sufficient, and that the "insider threat" narrative creates unnecessary alarm that could slow institutional adoption by adding compliance costs that are not proportionate to the actual risk.
The rebuttal is simple: CertiK's Skynet data shows North Korea-linked actors accounting for 60% of all 2025 crypto losses [1], and TRM Labs shows that figure rising to 76% in 2026 with just two attacks [4]. The concentration and scale of these losses, combined with documented use of fake employee identities by DPRK-linked groups in prior FBI advisories, makes the insider threat vector a documented pattern, not a hypothetical. The cost of not building human controls is already visible in the loss data.
What to Watch Next
Three specific triggers will tell you whether the industry is actually pricing this in.
First, watch for a Tier 1 custodian to publicly update or publish an insider threat policy that directly references the 2025 infiltration pattern. BNY Mellon's digital asset arm, Anchorage Digital, or Fireblocks would be the most significant signal. A public policy update from any of these firms would indicate that institutional-grade operators are treating this as a compliance requirement, not just a security concern.
Second, watch for the SEC or OCC to reference physical infiltration or insider threat risk in upcoming digital asset custody guidance. The evidentiary record from 2025 is now strong enough to support regulatory action. If either agency cites CertiK's findings or the Bybit incident in formal guidance, it accelerates the compliance timeline for every digital asset custodian operating under US jurisdiction.
Third, watch the Bybit hack investigation for public findings about how access was obtained. If confirmed insider access is part of the final attribution, it removes the last argument for treating this as a remote-attack problem. That confirmation would accelerate every timeline above and likely trigger immediate responses from compliance teams at regulated tokenization platforms.
The question worth sitting with: if the attack surface has moved from code to people, how many tokenization firms have actually built for that?