In short
- North Korea stole 76% of all crypto hack worth to date in 2026 with simply two April assaults totaling $577 million.
- One hack used months of social engineering; the opposite exploited a single-point verification flaw in a blockchain bridge.
- All informed, TRM Labs says that North Korean hackers have stolen greater than $6 billion value of crypto since 2017.
North Korean hackers have stolen almost three-quarters of all cryptocurrency taken by cybercriminals to date this yr—not by a relentless marketing campaign of assaults, however by two exactly executed heists concentrating on decentralized finance platforms in April, in line with a brand new report from blockchain intelligence agency TRM Labs.
The 2 incidents—a $285 million breach of Drift Protocol on April 1 and a $292 million exploit of Kelp DAO on April 18—collectively account for 76% of all crypto hack losses tracked by April, regardless of representing simply 3% of the entire variety of incidents recorded.
All informed, TRM Labs estimates that North Korean-linked hackers have swiped over $6 billion from crypto protocols and tasks since 2017, together with among the business’s worst-ever heists.
The figures replicate an accelerating focus of cryptocurrency theft by state-linked North Korean operatives. Pyongyang’s share of whole crypto hack losses has grown from beneath 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The 2026 determine of 76% by April is the best sustained share on document.
The Drift Protocol assault was outstanding for its persistence. On-chain staging started March 11, and the marketing campaign concerned in-person conferences between North Korean proxies and Drift staff over a interval of months—a tactic TRM analysts described as doubtlessly unprecedented in North Korea’s prolonged crypto hacking marketing campaign.
The attackers exploited a Solana function referred to as a sturdy nonce, which permits pre-signed transactions to be held and deployed at a later time. On April 1, 31 withdrawals executed in roughly 12 minutes, draining actual belongings together with USDC and JLP. The stolen funds have been shortly moved to Ethereum and have sat dormant since.
The Kelp DAO assault took a special route. The attackers compromised two inner RPC nodes after which launched a denial-of-service assault in opposition to exterior nodes, forcing the bridge’s single verifier to depend on the poisoned information sources. These nodes falsely reported that the underlying asset had been burned on the supply chain when no such motion had occurred, and roughly 116,500 rsETH—value roughly $292 million—was drained from the Ethereum bridge contract.
After the Kelp DAO theft, the Arbitrum Safety Council exercised emergency powers to freeze roughly $75 million of the stolen funds that had been left on the community—a uncommon intervention that prompted a speedy laundering response. Roughly $175 million in ETH was then swapped to Bitcoin, largely by THORChain, a cross-chain liquidity protocol with no know-your-customer requirement.
THORChain processed the overwhelming majority of proceeds from each the Bybit breach in 2025—the business’s worst-ever theft, with over $1.4 billion in crypto stolen—and the Kelp DAO hack in 2026, changing tons of of hundreds of thousands in stolen ETH to Bitcoin with no operator keen to freeze or reject transfers.
TRM analysts famous that the group seems to be sharpening its instruments: Analysts have begun to take a position that North Korean operators are incorporating AI instruments into their reconnaissance and social engineering workflows, a growth in line with the rising precision of assaults like Drift, which required weeks of focused manipulation of complicated blockchain mechanisms.
Every day Debrief Publication
Begin daily with the highest information tales proper now, plus authentic options, a podcast, movies and extra.