Crypto

May 18, 2026

How North Korea Turned Cryptocurrency Theft Into a State-Funded Industry

In early 2025, someone applied for a job at a fintech company. They had a polished resume, a confident video interview, and solid references. What the hiring manager did not know was that the recruiter on the other side of the screen was not a person. It was a synthetic AI-generated persona, purpose-built by a North Korean state-backed hacking collective to gain access to the company's cryptocurrency systems. By the time anyone noticed something was wrong, the funds were gone.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

This is the new face of financial cybercrime, and it is more industrialized, more automated, and more effective than anything the sector has seen before. That is the central finding of the CrowdStrike 2026 Financial Services Threat Landscape Report, released this week, which draws on frontline intelligence tracking more than 280 named adversary groups operating globally. The picture it paints is not one of lone hackers in dark rooms. It is one of nation-state operations running with the discipline and scale of a corporate enterprise.

The $1.46 Billion Heist That Rewrote the Record Books

The numbers in the report are striking enough on their own. North Korea-linked actors were responsible for a 51 percent year-over-year increase in digital asset theft in 2025, with a total of $2.02 billion stolen from across the financial sector. But one incident stands out above the rest: a single operation by a group CrowdStrike tracks as PRESSURE CHOLLIMA, which executed what is now the largest single financial theft ever recorded, taking $1.46 billion in cryptocurrency through trojanized software distributed via a supply chain compromise.

To put that in context, this was not a smash-and-grab. It was a carefully constructed attack that required compromising a software supply chain, meaning the hackers did not break into a vault directly. They poisoned the tools that other people used to access the vault. When those tools were distributed to users who trusted them, the attackers came along for the ride.

This approach reflects a broader strategic shift. Rather than targeting financial institutions head-on, adversaries are increasingly targeting the infrastructure and trusted relationships that financial firms rely on. Another North Korea-linked group, GOLDEN CHOLLIMA, used recruitment-themed lures specifically designed to divert cryptocurrency funds and gain access to cloud environments at fintechs operating across Southeast Asia and Canada. The bait was a job opportunity. The trap was a credential harvester.

AI Has Changed the Cost Equation for Attackers

What makes the current moment different from previous threat cycles is the role artificial intelligence is now playing on the attacker's side of the equation. For years, cybersecurity professionals have talked about AI as a defensive tool. The 2026 report is a reminder that it is also a remarkably efficient offensive one.

FAMOUS CHOLLIMA, another DPRK-affiliated group, doubled its operational volume last year by deploying AI-generated identities to infiltrate cryptocurrency exchanges, fintech platforms, and consumer banks. Creating a convincing fake employee or job applicant used to require significant human effort. AI has automated that process and dropped the cost of deception close to zero.

STARDUST CHOLLIMA went further still, tripling its operational tempo by deploying AI-generated recruiter personas and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia. These were not text-based scams. They were fully constructed synthetic realities: fake video calls, fake interviewers, fake companies. Organizations that thought they were conducting routine business interactions were, in some cases, handing access to their systems to state-sponsored adversaries.

"Financial services organizations face threats from every direction and AI is making each of them harder to stop. The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero," said Adam Meyers, head of counter adversary operations at CrowdStrike. "Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond. To close that gap, defenders have to meet AI with AI, pairing intelligence with hunting to outpace the adversary."

That last phrase matters. The compression of time between access and impact is one of the most significant trends in the report. Historically, attackers who gained initial access to a system might move slowly, carefully avoiding detection over days or weeks. AI-assisted intrusions are accelerating that timeline dramatically, leaving defenders with a much narrower window to respond.

China's Quieter, More Patient Operation

While North Korea's operations are defined by their audacity and financial motivation, the report identifies a different kind of threat emanating from China-linked adversaries: long-term, patient intelligence gathering at a genuinely global scale.

A group tracked as MURKY PANDA built an operational relay box network spanning more than 150 endpoints across 36 countries, using that infrastructure to target 340 organizations across more than 30 sectors. Financial services was among the most frequently targeted. The scale of that network speaks to something more strategic than financial opportunism. This is the architecture of a persistent surveillance operation, designed to collect intelligence over time rather than extract value immediately.

HOLLOW PANDA, meanwhile, conducted targeted intrusions at financial institutions in the Philippines, Indonesia, and Brazil, suggesting a geographic focus on economies within China's strategic interest zone as well as Latin America's growing financial sector. These are not random targets. They are selected with geopolitical logic.

Ransomware Finds New Efficiencies

The report also documents a notable evolution in how ransomware groups are operating within the financial sector. In 2025, 423 financial services organizations appeared on dedicated leak sites, a 27 percent increase year over year. But the more interesting development is the business model innovation happening beneath that headline figure.

A group called MUTANT SPIDER has emerged as a kind of access broker, conducting high-volume vishing campaigns, gaining entry to organizations, and then selling that access to ransomware groups rather than deploying ransomware itself. This division of labor makes attacks faster, more scalable, and harder to attribute. The entity that shows up to collect the ransom is not the same entity that broke down the door.

SCATTERED SPIDER, which gained notoriety for aggressive attacks on major corporations in 2023 and 2024, resumed ransomware operations against insurance entities in the first half of 2025 after a four-month pause. The return suggests that law enforcement pressure, while meaningful, has not yet succeeded in dismantling the group's operational capacity.

What Defenders Are Actually Up Against

Taken together, the picture that emerges from the CrowdStrike report is of a threat landscape in which the old perimeter-based model of security is increasingly inadequate. Hands-on-keyboard intrusions against financial institutions spiked 43 percent globally and 48 percent in North America over the past two years. These are not automated attacks that a firewall can catch at the door. They are human-operated campaigns that exploit trusted identities, legitimate SaaS applications, and the normal rhythms of business operations.

The job interview that was actually a North Korean intelligence operation. The software update that was actually a supply chain compromise. The cloud credentials that were harvested during what looked like a routine vendor interaction. The common thread running through all of these is that they exploit trust, not just technology.

For financial institutions, the implication is that the most important security investments may not be in better firewalls but in better identity verification, stronger threat intelligence, and the ability to detect anomalous behavior within systems that have already been accessed by what appeared to be a legitimate user.

The CrowdStrike report is ultimately a document about the professionalization of adversarial activity. The groups it describes are not opportunists. They are organizations, with strategic goals, operational planning, and now, access to AI tools that let them scale their deception at a speed and volume that was not possible even two years ago. The financial sector has always been a high-value target. What is new is how efficiently it is now being hunted.

Crypto

May 18, 2026

How North Korea Turned Cryptocurrency Theft Into a State-Funded Industry

In early 2025, someone applied for a job at a fintech company. They had a polished resume, a confident video interview, and solid references. What the hiring manager did not know was that the recruiter on the other side of the screen was not a person. It was a synthetic AI-generated persona, purpose-built by a North Korean state-backed hacking collective to gain access to the company's cryptocurrency systems. By the time anyone noticed something was wrong, the funds were gone.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

This is the new face of financial cybercrime, and it is more industrialized, more automated, and more effective than anything the sector has seen before. That is the central finding of the CrowdStrike 2026 Financial Services Threat Landscape Report, released this week, which draws on frontline intelligence tracking more than 280 named adversary groups operating globally. The picture it paints is not one of lone hackers in dark rooms. It is one of nation-state operations running with the discipline and scale of a corporate enterprise.

The $1.46 Billion Heist That Rewrote the Record Books

The numbers in the report are striking enough on their own. North Korea-linked actors were responsible for a 51 percent year-over-year increase in digital asset theft in 2025, with a total of $2.02 billion stolen from across the financial sector. But one incident stands out above the rest: a single operation by a group CrowdStrike tracks as PRESSURE CHOLLIMA, which executed what is now the largest single financial theft ever recorded, taking $1.46 billion in cryptocurrency through trojanized software distributed via a supply chain compromise.

To put that in context, this was not a smash-and-grab. It was a carefully constructed attack that required compromising a software supply chain, meaning the hackers did not break into a vault directly. They poisoned the tools that other people used to access the vault. When those tools were distributed to users who trusted them, the attackers came along for the ride.

This approach reflects a broader strategic shift. Rather than targeting financial institutions head-on, adversaries are increasingly targeting the infrastructure and trusted relationships that financial firms rely on. Another North Korea-linked group, GOLDEN CHOLLIMA, used recruitment-themed lures specifically designed to divert cryptocurrency funds and gain access to cloud environments at fintechs operating across Southeast Asia and Canada. The bait was a job opportunity. The trap was a credential harvester.

AI Has Changed the Cost Equation for Attackers

What makes the current moment different from previous threat cycles is the role artificial intelligence is now playing on the attacker's side of the equation. For years, cybersecurity professionals have talked about AI as a defensive tool. The 2026 report is a reminder that it is also a remarkably efficient offensive one.

FAMOUS CHOLLIMA, another DPRK-affiliated group, doubled its operational volume last year by deploying AI-generated identities to infiltrate cryptocurrency exchanges, fintech platforms, and consumer banks. Creating a convincing fake employee or job applicant used to require significant human effort. AI has automated that process and dropped the cost of deception close to zero.

STARDUST CHOLLIMA went further still, tripling its operational tempo by deploying AI-generated recruiter personas and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia. These were not text-based scams. They were fully constructed synthetic realities: fake video calls, fake interviewers, fake companies. Organizations that thought they were conducting routine business interactions were, in some cases, handing access to their systems to state-sponsored adversaries.

"Financial services organizations face threats from every direction and AI is making each of them harder to stop. The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero," said Adam Meyers, head of counter adversary operations at CrowdStrike. "Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond. To close that gap, defenders have to meet AI with AI, pairing intelligence with hunting to outpace the adversary."

That last phrase matters. The compression of time between access and impact is one of the most significant trends in the report. Historically, attackers who gained initial access to a system might move slowly, carefully avoiding detection over days or weeks. AI-assisted intrusions are accelerating that timeline dramatically, leaving defenders with a much narrower window to respond.

China's Quieter, More Patient Operation

While North Korea's operations are defined by their audacity and financial motivation, the report identifies a different kind of threat emanating from China-linked adversaries: long-term, patient intelligence gathering at a genuinely global scale.

A group tracked as MURKY PANDA built an operational relay box network spanning more than 150 endpoints across 36 countries, using that infrastructure to target 340 organizations across more than 30 sectors. Financial services was among the most frequently targeted. The scale of that network speaks to something more strategic than financial opportunism. This is the architecture of a persistent surveillance operation, designed to collect intelligence over time rather than extract value immediately.

HOLLOW PANDA, meanwhile, conducted targeted intrusions at financial institutions in the Philippines, Indonesia, and Brazil, suggesting a geographic focus on economies within China's strategic interest zone as well as Latin America's growing financial sector. These are not random targets. They are selected with geopolitical logic.

Ransomware Finds New Efficiencies

The report also documents a notable evolution in how ransomware groups are operating within the financial sector. In 2025, 423 financial services organizations appeared on dedicated leak sites, a 27 percent increase year over year. But the more interesting development is the business model innovation happening beneath that headline figure.

A group called MUTANT SPIDER has emerged as a kind of access broker, conducting high-volume vishing campaigns, gaining entry to organizations, and then selling that access to ransomware groups rather than deploying ransomware itself. This division of labor makes attacks faster, more scalable, and harder to attribute. The entity that shows up to collect the ransom is not the same entity that broke down the door.

SCATTERED SPIDER, which gained notoriety for aggressive attacks on major corporations in 2023 and 2024, resumed ransomware operations against insurance entities in the first half of 2025 after a four-month pause. The return suggests that law enforcement pressure, while meaningful, has not yet succeeded in dismantling the group's operational capacity.

What Defenders Are Actually Up Against

Taken together, the picture that emerges from the CrowdStrike report is of a threat landscape in which the old perimeter-based model of security is increasingly inadequate. Hands-on-keyboard intrusions against financial institutions spiked 43 percent globally and 48 percent in North America over the past two years. These are not automated attacks that a firewall can catch at the door. They are human-operated campaigns that exploit trusted identities, legitimate SaaS applications, and the normal rhythms of business operations.

The job interview that was actually a North Korean intelligence operation. The software update that was actually a supply chain compromise. The cloud credentials that were harvested during what looked like a routine vendor interaction. The common thread running through all of these is that they exploit trust, not just technology.

For financial institutions, the implication is that the most important security investments may not be in better firewalls but in better identity verification, stronger threat intelligence, and the ability to detect anomalous behavior within systems that have already been accessed by what appeared to be a legitimate user.

The CrowdStrike report is ultimately a document about the professionalization of adversarial activity. The groups it describes are not opportunists. They are organizations, with strategic goals, operational planning, and now, access to AI tools that let them scale their deception at a speed and volume that was not possible even two years ago. The financial sector has always been a high-value target. What is new is how efficiently it is now being hunted.

Crypto

May 18, 2026

How North Korea Turned Cryptocurrency Theft Into a State-Funded Industry

In early 2025, someone applied for a job at a fintech company. They had a polished resume, a confident video interview, and solid references. What the hiring manager did not know was that the recruiter on the other side of the screen was not a person. It was a synthetic AI-generated persona, purpose-built by a North Korean state-backed hacking collective to gain access to the company's cryptocurrency systems. By the time anyone noticed something was wrong, the funds were gone.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

This is the new face of financial cybercrime, and it is more industrialized, more automated, and more effective than anything the sector has seen before. That is the central finding of the CrowdStrike 2026 Financial Services Threat Landscape Report, released this week, which draws on frontline intelligence tracking more than 280 named adversary groups operating globally. The picture it paints is not one of lone hackers in dark rooms. It is one of nation-state operations running with the discipline and scale of a corporate enterprise.

The $1.46 Billion Heist That Rewrote the Record Books

The numbers in the report are striking enough on their own. North Korea-linked actors were responsible for a 51 percent year-over-year increase in digital asset theft in 2025, with a total of $2.02 billion stolen from across the financial sector. But one incident stands out above the rest: a single operation by a group CrowdStrike tracks as PRESSURE CHOLLIMA, which executed what is now the largest single financial theft ever recorded, taking $1.46 billion in cryptocurrency through trojanized software distributed via a supply chain compromise.

To put that in context, this was not a smash-and-grab. It was a carefully constructed attack that required compromising a software supply chain, meaning the hackers did not break into a vault directly. They poisoned the tools that other people used to access the vault. When those tools were distributed to users who trusted them, the attackers came along for the ride.

This approach reflects a broader strategic shift. Rather than targeting financial institutions head-on, adversaries are increasingly targeting the infrastructure and trusted relationships that financial firms rely on. Another North Korea-linked group, GOLDEN CHOLLIMA, used recruitment-themed lures specifically designed to divert cryptocurrency funds and gain access to cloud environments at fintechs operating across Southeast Asia and Canada. The bait was a job opportunity. The trap was a credential harvester.

AI Has Changed the Cost Equation for Attackers

What makes the current moment different from previous threat cycles is the role artificial intelligence is now playing on the attacker's side of the equation. For years, cybersecurity professionals have talked about AI as a defensive tool. The 2026 report is a reminder that it is also a remarkably efficient offensive one.

FAMOUS CHOLLIMA, another DPRK-affiliated group, doubled its operational volume last year by deploying AI-generated identities to infiltrate cryptocurrency exchanges, fintech platforms, and consumer banks. Creating a convincing fake employee or job applicant used to require significant human effort. AI has automated that process and dropped the cost of deception close to zero.

STARDUST CHOLLIMA went further still, tripling its operational tempo by deploying AI-generated recruiter personas and synthetic video conferencing environments to target fintechs across North America, Europe, and Asia. These were not text-based scams. They were fully constructed synthetic realities: fake video calls, fake interviewers, fake companies. Organizations that thought they were conducting routine business interactions were, in some cases, handing access to their systems to state-sponsored adversaries.

"Financial services organizations face threats from every direction and AI is making each of them harder to stop. The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero," said Adam Meyers, head of counter adversary operations at CrowdStrike. "Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond. To close that gap, defenders have to meet AI with AI, pairing intelligence with hunting to outpace the adversary."

That last phrase matters. The compression of time between access and impact is one of the most significant trends in the report. Historically, attackers who gained initial access to a system might move slowly, carefully avoiding detection over days or weeks. AI-assisted intrusions are accelerating that timeline dramatically, leaving defenders with a much narrower window to respond.

China's Quieter, More Patient Operation

While North Korea's operations are defined by their audacity and financial motivation, the report identifies a different kind of threat emanating from China-linked adversaries: long-term, patient intelligence gathering at a genuinely global scale.

A group tracked as MURKY PANDA built an operational relay box network spanning more than 150 endpoints across 36 countries, using that infrastructure to target 340 organizations across more than 30 sectors. Financial services was among the most frequently targeted. The scale of that network speaks to something more strategic than financial opportunism. This is the architecture of a persistent surveillance operation, designed to collect intelligence over time rather than extract value immediately.

HOLLOW PANDA, meanwhile, conducted targeted intrusions at financial institutions in the Philippines, Indonesia, and Brazil, suggesting a geographic focus on economies within China's strategic interest zone as well as Latin America's growing financial sector. These are not random targets. They are selected with geopolitical logic.

Ransomware Finds New Efficiencies

The report also documents a notable evolution in how ransomware groups are operating within the financial sector. In 2025, 423 financial services organizations appeared on dedicated leak sites, a 27 percent increase year over year. But the more interesting development is the business model innovation happening beneath that headline figure.

A group called MUTANT SPIDER has emerged as a kind of access broker, conducting high-volume vishing campaigns, gaining entry to organizations, and then selling that access to ransomware groups rather than deploying ransomware itself. This division of labor makes attacks faster, more scalable, and harder to attribute. The entity that shows up to collect the ransom is not the same entity that broke down the door.

SCATTERED SPIDER, which gained notoriety for aggressive attacks on major corporations in 2023 and 2024, resumed ransomware operations against insurance entities in the first half of 2025 after a four-month pause. The return suggests that law enforcement pressure, while meaningful, has not yet succeeded in dismantling the group's operational capacity.

What Defenders Are Actually Up Against

Taken together, the picture that emerges from the CrowdStrike report is of a threat landscape in which the old perimeter-based model of security is increasingly inadequate. Hands-on-keyboard intrusions against financial institutions spiked 43 percent globally and 48 percent in North America over the past two years. These are not automated attacks that a firewall can catch at the door. They are human-operated campaigns that exploit trusted identities, legitimate SaaS applications, and the normal rhythms of business operations.

The job interview that was actually a North Korean intelligence operation. The software update that was actually a supply chain compromise. The cloud credentials that were harvested during what looked like a routine vendor interaction. The common thread running through all of these is that they exploit trust, not just technology.

For financial institutions, the implication is that the most important security investments may not be in better firewalls but in better identity verification, stronger threat intelligence, and the ability to detect anomalous behavior within systems that have already been accessed by what appeared to be a legitimate user.

The CrowdStrike report is ultimately a document about the professionalization of adversarial activity. The groups it describes are not opportunists. They are organizations, with strategic goals, operational planning, and now, access to AI tools that let them scale their deception at a speed and volume that was not possible even two years ago. The financial sector has always been a high-value target. What is new is how efficiently it is now being hunted.