North Korean Hackers Pivot: From Stealing Crypto to Launching Their Own Platforms

State-sponsored cyber operatives have executed a chilling strategic shift—they're no longer just raiding digital vaults. They're building their own.

The New Playbook: From Infiltration to Creation

Forget simple exchange hacks. The latest intelligence reveals a sophisticated evolution in tactics. Instead of just exploiting existing platforms, these groups are now designing, launching, and operating entire crypto ecosystems from the ground up. It's a move that bypasses traditional security perimeters and embeds malicious infrastructure directly into the financial bloodstream.

Why Build When You Can Steal? Control.

Running your own platform offers something a one-time heist never can: sustained revenue, deeper access to user networks, and a veneer of legitimacy. It's a long-game strategy that turns a smash-and-grab into a permanent, profit-generating operation. Think of it as moving from bank robbery to founding your own, slightly less reputable, financial institution.

The implications are profound for security teams and regulators. The attack surface just expanded exponentially. It's no longer about defending a perimeter; it's about vetting the foundation of every new platform vying for user funds. Due diligence just became the most critical—and most cynical—skill in crypto. After all, in a market that often rewards hype over substance, a well-funded platform with opaque origins might just be the next 'moonshot' before it's the next headline-making collapse.

Bybit hack was an inflexion point for DPRK hackers

A year after the Bybit hack, almost all the funds have been laundered, with the exception of a small fraction that was intercepted. Elliptic noted the hackers used novel laundering tactics, including the strategic use of refund addresses, the creation of worthless tokens, and the diversified use of mixing services. 

Over $1B of the Bybit funds were laundered in just six months, and that mixing toolset created an inflection point for DPRK hackers and their campaigns. 

The hackers did not rest after the record-breaking windfall, but continued with an elevated pace for all of 2025. Elliptic tallied up $2B in DPRK hacks for 2025, and total exploits could be over $6B. The funds may be playing a role in North Korea’s nuclear weapons and missile programs, giving hackers a strong motivation to continue. 

According to Elliptic, the trend continued in 2026, with double the number of exploits compared to January 2025. 

While the DPRK hacks are technically sophisticated, they also rely on social engineering and human error. 

Are DPRK hackers launching crypto products? 

Elliptic reported the case of Tenexium, a project built within the Bittensor (TAO) network. The Tenexium project caused chaos on January 1, becoming the first hack for 2026. 

Tenexium used the usual approach to building a permissionless project as part of Bittensor’s ecosystem. The relatively minor project still attracted liquidity, but at one point, the website disappeared, and the project market experienced suspicious outflows of $2.5M. 

Tenexium was supposed to be a neutral trading protocol, but it turned out some of the project’s team may be made up of DPRK hackers posing as IT workers. What was different this time was that the DPRK IT persona may be the very founder of the project.

The identity of Tenexium’s creator has not been confirmed. However, the case raises the issue of smaller DeFi projects, vaults, and copycat permissionless apps. As Web3 tools are still alive, hackers may directly try to tap end users with poisoned apps, meme tokens, or other new launches. The best approach is to VET teams and platforms or use the more established DeFi hubs.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.