North Korea Linked To More Than Three Quarters Of All Crypto Losses In 2026; Two Hacks Drain $577M

North Korean hackers were behind the majority of crypto losses in 2026 so far, with two high-value attacks carried out within weeks accounting for most of the damage, according to a new report.

According to blockchain intelligence firm TRM Labs, about $577 million in crypto was stolen so far through April, with North Korean-linked groups responsible for 76% of all recorded losses. That figure is driven almost entirely by the April breaches of Drift Protocol and KelpDAO, which together made up a small share of incidents but the vast majority of value lost.

The concentration of losses underscores a broader trend in North Korea’s cyber operations. Reporting from The Block shows the country’s share of crypto theft has climbed steadily from under 10% in 2020 to 76% this year, with total attributed theft now exceeding $6 billion since 2017.

The Drift Protocol attack on April 1 alone accounted for roughly $285 million in losses. TRM said the operation involved months of preparation, including social engineering and reported in-person contact with insiders before attackers exploited Solana’s durable nonce system to pre-authorize transactions. Once executed, 31 withdrawals were completed in about 12 minutes. The stolen funds were quickly bridged to Ethereum and have since remained largely dormant.

A separate investigation cited by CryptoBriefing described the campaign as part of a broader North Korean operation combining technical exploits with social engineering, highlighting how attacks are becoming more coordinated and operationally complex.

The second major breach targeted KelpDAO on April 18, when attackers exploited a vulnerability in a LayerZero bridge by compromising internal infrastructure and manipulating transaction verification. TRM attributed the attack to the TraderTraitor group, a known North Korean-linked operation, which drained about $292 million.

Reporting from DL News noted that attackers later reused the same bridging infrastructure to help launder funds, a rare case where the exploited system was also used in the laundering process. “We are seeing these actors treat exploits as standardised business operations,” Matt Price of Elliptic told DL News, adding that they increasingly operate “with the efficiency of a global enterprise.”

When around $75 million of the stolen KelpDAO funds were frozen on Arbitrum, the attackers rapidly shifted tactics. TRM said roughly $175 million in Ethereum was converted into Bitcoin, primarily through THORChain, a decentralized cross-chain protocol that has repeatedly featured in North Korean laundering flows, including the 2025 Bybit hack.

THORChain handled a significant share of the laundering activity, reinforcing its role as a consistent exit route for stolen assets despite repeated industry scrutiny, the DL News report said.

Security researchers say the pattern reflects a shift in how North Korean groups operate. “Security is no longer just about the integrity of the protocol’s code. Operational security is now equally critical,” Yajin Zhou of BlockSec told DL News, pointing to the growing role of human and infrastructure vulnerabilities in recent exploits.

The investigations found repeated weaknesses in crypto infrastructure, ranging from governance and multisig systems exploited in the Drift breach to single-verifier bridge setups in KelpDAO, where a single compromised data source was enough to enable a large-scale fraudulent transfer.

TRM said the broader trend is not an increase in attack volume, but a refinement in execution: fewer incidents, higher precision, and significantly larger payouts per breach