In accordance with blockchain intelligence agency TRM Labs, North Korean hacking teams have stolen roughly $577 million in cryptocurrency by April 2026 — representing 76% of all crypto hack losses this yr — throughout simply two assaults.
North Korea’s share of complete crypto hack losses has grown steadily, from below 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025.
The 2026 determine of 76% is the best sustained share on document.
The 2 assaults
The Drift Protocol breach on April 1 netted $285 million after three weeks of on-chain staging and months of social engineering, together with in-person conferences between North Korean proxies and Drift staff — a tactic TRM describes as probably unprecedented in North Korea’s hacking marketing campaign.
The attackers exploited a Solana characteristic known as a sturdy nonce, which permits pre-signed transactions to be held and broadcast at a later time, inducing Drift’s multisig signers to pre-authorize transactions weeks earlier than the drain executed.
On April 1, 31 withdrawals executed in roughly 12 minutes, draining actual property together with USDC and JLP.
The KelpDAO breach on April 18 netted $292 million by exploiting a single-verifier design flaw in a LayerZero bridge.
Attackers compromised two inside RPC nodes, then DDoS’d exterior nodes to power the bridge’s verifier to depend on poisoned information, approving a fraudulent cross-chain message.
Diverging laundering methods
TRM notes the 2 assaults adopted distinct laundering playbooks.
Drift proceeds have been bridged to Ethereum and transformed to ETH inside hours, then went dormant — in line with a sample of holding funds for months or years earlier than a structured cashout.
KelpDAO’s laundering was extra reactive.
The Arbitrum Safety Council froze roughly $75 million of the stolen funds, prompting hackers to quickly transfer roughly $175 million in ETH by THORChain, changing it to bitcoin with no operator intervention.
TRM acknowledged:
“THORChain processed the overwhelming majority of proceeds from each the Bybit breach (2025) and the KelpDAO hack (2026), changing a whole lot of thousands and thousands in stolen ETH to Bitcoin with no operator keen to freeze or reject transfers — making it the constant bridge of selection throughout North Korea’s largest heists.”
What TRM says compliance groups ought to watch
TRM flagged 4 monitoring priorities:
THORChain flows from KelpDAO-linked addresses, Solana multisig and governance contract publicity, multi-hop bridge deposit screening, and enrollment in TRM’s Beacon Community for real-time alerts.
TRM famous:
“TRM analysts have begun to invest that North Korean operators are incorporating AI instruments into their reconnaissance and social engineering workflows — a improvement in line with the growing precision of assaults like Drift.”
On the broader menace, TRM noticed:
“The group is just not attacking extra regularly — it’s focusing on extra exactly, specializing in high-value targets.”