Did CertiK name any specific exchanges or coins affected?

No. The public summary flagged by Crypto Briefing does not name specific victim firms or tokens. CertiK frames the activity at the program level, tied to broader DPRK-linked operations rather than a single incident.

What does 'physical infiltration' mean in this context?

It refers to North Korean operatives embedding themselves inside crypto firms under false identities, typically as remote developers or contractors, to gain insider access to systems, keys, or funds. It contrasts with purely remote cyber intrusion.

Has this happened before?

Yes. The US Treasury and South Korean authorities have warned for at least two years that DPRK IT workers were using fake identities to land jobs at Western tech and crypto firms. CertiK's report extends that pattern and ties it to the laundering pipeline.

Should holders of any specific token be concerned?

No specific token was named. The structural risk sits at the firm level, particularly for exchanges, custodians, and protocols with weak contractor vetting, rather than at the token level.

CertiK Says North Korea Laundered Billions in Stolen Crypto, Now Pivoting to Physical Infiltration

CertiK said on Wednesday that North Korean state-linked actors have laundered billions of dollars in stolen cryptocurrency over the past several years and are now shifting tactics toward physical infiltration of crypto firms, according to a report flagged by Crypto Briefing. The security firm characterized the change as a maturation of a state-sponsored campaign that has already drained funds from exchanges, bridges, and DeFi protocols. CertiK framed the move to in-person operations as an escalation, not a substitute, for the cyber playbook that has defined groups like Lazarus.

By Rahul Mehta· Altcoins & DeFi

What happened

CertiK published findings on Wednesday claiming that North Korean state-linked threat actors have moved billions of dollars worth of stolen cryptocurrency through laundering channels, and are now expanding beyond pure cyber intrusion into physical infiltration of crypto-native firms. Crypto Briefing first surfaced the report. The security firm did not name specific victim companies in the public summary, but it tied the activity to the broader DPRK cyber program that has been linked to Lazarus Group operations against exchanges and cross-chain bridges since at least 2022.

CertiK's framing is blunt: the laundering pipelines that washed funds from past hacks are still operational, and the human-side attack surface is widening. Crypto Briefing's writeup describes infiltration tactics that include placing operatives inside firms under fake identities, a pattern that has already drawn warnings this cycle from the US Treasury and South Korean authorities.

Why it matters

For years, the crypto industry treated DPRK exposure as a code problem. Audit the bridge, harden the multisig, sanction the mixer. CertiK's read is that the threat model now includes the person you just onboarded as a Solidity contractor.

That changes who owns the risk. It moves out of the security team's threat-intel queue and into HR, legal, and operations. The billions figure also matters because it directly contradicts the narrative that sanctions, mixer takedowns, and stablecoin issuer freezes have throttled DPRK monetization.

They've slowed it. They haven't stopped it. If a state actor can still cash out at scale and is now expanding the attack surface, every firm holding customer assets has to revisit assumptions about insider threat that the industry has been quietly skipping.

CertiK Says North Korea Laundered Billions in Stolen Crypto, Now Pivoting to Physical Infiltration

What happened

Why it matters

Market impact

What to watch

Disclaimer

Key takeaways

Frequently asked

Sources