CrowdStrike's 2026 Financial Services Threat Landscape Report reveals that North Korea-linked hackers stole $2.02 billion in cryptocurrency in 2025, a 51% increase from 2024. The report highlights the Democratic People's Republic of Korea (DPRK) as a key threat to crypto and fintech firms, with stolen funds allegedly supporting military programs. North Korean threat actors increasingly leveraged AI, with FAMOUS CHOLLIMA doubling activity through AI-generated identities to infiltrate crypto exchanges, fintech firms, and retail banks. STARDUST CHOLLIMA used AI-created recruiter profiles and fabricated video meeting environments to target fintech companies across North America, Europe, and Asia. Adam Meyers, head of counter adversary operations at CrowdStrike, noted that AI makes threats harder to stop, with near-zero cost for creating convincing identities and automating reconnaissance. Additionally, ransomware and espionage intensified, with 423 financial services victims on leak sites (27% annual increase) and hands-on-keyboard intrusions rising 43% globally. By Q1 2026, financial services became the fourth-most-targeted sector, accounting for 12% of all recorded activity. TRM Labs linked DPRK groups to $577 million in stolen funds from Drift Protocol and KelpDAO through April, though North Korea rejected the claims via KCNA.

Key facts

• North Korea-linked hackers stole $2.02B in crypto in 2025, up 51% from 2024.
• DPRK groups increasingly used AI for identity generation and infiltration.
• Financial services victims on leak sites rose 27% annually to 423.
• Hands-on-keyboard intrusions spiked 43% globally in 2025.
• By Q1 2026, financial sector was fourth-most-targeted at 12% of activity.