North Korea does not usually respond to hack attributions.
They ignored the Bybit attribution in February 2025 when the US named Lazarus Group in connection with $1.5 billion in stolen Ethereum. They ignored the UN Security Council reports. They ignored the FBI’s TraderTraitor designations. They ignored years of blockchain forensics from Chainalysis, TRM Labs, and Elliptic documenting in granular detail exactly how their hackers moved stolen funds across chains.
On Sunday, a spokesperson for North Korea’s Foreign Ministry described US accusations of crypto theft as “absurd slander” and a “political tool” designed to facilitate hostile policy by Washington. The statement said North Korea would “never tolerate” confrontation attempts and would take “all necessary measures” to defend its state interests.
That is not a denial. Every country denies things. That is a threat. And Pyongyang does not usually make threats about cryptocurrency.
Something is different this time.
What They Are Responding To
North Korean hacking groups accounted for 76% of all crypto hack losses in 2026 through April, not because North Korea launched a wave of attacks, but because two attacks totaling $577 million dwarfed everything else.
The first was the Drift Protocol hack on April 1. Drift revealed that the attack was the culmination of a months-long targeted social engineering operation that began in the fall of 2025. The individuals who appeared in person were not North Korean nationals. DPRK threat actors operating at this level deploy third-party intermediaries to conduct face-to-face relationship-building. They were technically fluent, had verifiable professional backgrounds, and were familiar with how Drift operated. The full drain took approximately 12 minutes. The preparation took six months.
The second was the KelpDAO bridge exploit on April 18, $292 million drained through a single-verifier design flaw in a LayerZero bridge. Arbitrum froze $71 million of the proceeds, a partial recovery that spawned its own legal battle when a US law firm tried to claim the frozen funds using a 2015 judgment against North Korea.
Two attacks. Two distinct hacking groups. Seventy-seven days apart. $577 million total. The US named the masterminds behind both.
That is what North Korea is responding to.
Why the Response Is Unusual
State-sponsored hacking programs operate best in silence. Attribution is the enemy of the operation. When you deny nothing, you confirm nothing. When you respond, you confirm you are paying attention, which implies you have something to protect.
North Korea’s previous posture on crypto theft was pure silence. The logic was sound. Officially acknowledging that state media reports about crypto hacking even exist would require acknowledging that North Korea monitors those reports, which implies an operational interest in the outcome of those reports.
“The United States is trying to spread a distorted perception of our country by using government agencies, compliant media outlets and plot-making organizations to talk about a nonexistent cyber threat from us,” the ministry said. It also accused Washington of portraying itself as a victim while controlling global information technology infrastructure and carrying out cyberattacks against other countries.
The shift in posture suggests one of two things. Either the US attribution this time was specific enough, naming units, naming individuals, naming operational details, that silence itself became a signal of confirmation Pyongyang was not willing to tolerate. Or this is connected to a broader recalibration of North Korea’s public posture in the wake of the Iran ceasefire, where the regional dynamic has shifted enough that Pyongyang is recalculating what deterrence looks like.
The second explanation would be consistent with the geopolitical context. North Korea watched Iran absorb US and Israeli strikes, lose its Supreme Leader, and end up in ceasefire negotiations. The lesson for Pyongyang is not subtle. Their primary source of hard currency and weapons program funding is cryptocurrency theft. If the US starts treating that the way it treats Iranian oil revenues, as something to be systematically shut down rather than occasionally disrupted, North Korea has a real problem.
The threat is their way of saying: do not do that.
The Scale of What Is Actually Happening
According to TRM Labs, North Korean hackers have been responsible for at least around a third of all financial losses from cryptocurrency in six out of the past several years, with their cumulative theft exceeding $6 billion since 2017.
What has shifted is the sophistication of the attacks. TRM suggests that North Korean operators may be integrating AI tools into reconnaissance and social engineering operations, a development consistent with the increasing precision of attacks like Drift, which required weeks of targeted manipulation of complex blockchain mechanisms.
This is not opportunistic crime. This is an industrial operation. North Korea requires additional revenue to fund ambitious military plans that include constructing new destroyers, building nuclear-powered submarines, and launching additional reconnaissance satellites. Cryptocurrency theft is how they pay for it. The Drift and KelpDAO attacks together funded more than a year of that program.
The US naming the masterminds is not a symbolic gesture. It is the first step in a legal and financial pressure campaign. Named individuals can be sanctioned. Sanctioned individuals cannot access the global financial system. Exchanges are required to screen against sanction lists. The money gets harder to move.
North Korea knows this playbook. They have watched it applied to Iran, Russia, and Venezuela. They are telling the US they are prepared to respond to it.
What the Threat Actually Means
“We will never overlook the increasingly blatant confrontational attempts by hostile forces” is diplomatic language for a specific thing. It means: if you treat our revenue stream as a national security target, we will treat your infrastructure as a target.
The threat is probably not that North Korea will escalate crypto theft in response to being named. They were already stealing at industrial scale. The threat is that they will expand their targeting to infrastructure, financial systems, exchanges, custodians, rather than confining themselves to DeFi protocols where the victims are retail users and institutions with limited political voice.
A country that just threatened the US over cryptocurrency attributions is a country that understands its crypto operations are now in the crosshairs of US national security policy, not just law enforcement. That is a meaningful escalation in how both sides are framing this.
The Drift hackers spent six months building a fake identity inside a DeFi protocol before draining it in twelve minutes. The KelpDAO attackers found a single-verifier design flaw and moved $292 million through THORChain before anyone could stop them. These are not criminals who got lucky. They are a sophisticated state program that has stolen $6 billion since 2017 and is now threatening countermeasures against the country trying to stop them.
The US named the masterminds. North Korea said: we will not let it go.
For once, both sides are being honest about what this is.
