North Korean actors extracted approximately $577 million through the first four months of 2026, a sum representing 76% of all global cryptocurrency hack losses during the period, according to blockchain intelligence firm TRM Labs.
The losses stem from two April incidents, including the $292 million KelpDAO exploit and the $285 million Drift Protocol attack, which TRM said in a report accounted for 3% of total hack incidents in 2026 through April.
According to the report, the Drift attack came from a North Korean subgroup separate from TraderTraitor, the well-documented Lazarus-affiliated operation, though specific attribution remains under investigation. The KelpDAO breach was the work of TraderTraitor, it said.
The Drift hack involved months of in-person meetings between North Korean proxies and Drift employees, the TRM team said, noting that staging of the attack began as early as March 11 before the attacker created durable nonce accounts on Solana and induced Drift’s Security Council multisig signers to pre-authorize transactions.
The attacker then, on April 1, days after Drift had migrated its Security Council to a new 2/5 threshold configuration with zero timelock, deployed 31 pre-signed withdrawals to drain funds in a rapid execution phase lasting roughly 12 minutes, the team added. The funds were later bridged to Ethereum, where they have since remained largely dormant.
Meanwhile, the KelpDAO attack followed a different technical path, exploiting a single-verifier design in a LayerZero bridge by compromising RPC infrastructure and manipulating cross-chain validation logic, per the report.
TRM said attackers drained approximately 116,500 rsETH after forcing verification to fail over to compromised nodes, with subsequent laundering routed through cross-chain infrastructure, including THORChain, following partial asset freezes on Arbitrum.
North Korea’s share of crypto theft accelerates
The TRM team said North Korea’s share of global crypto hack losses has “accelerated” rather than plateaued, rising from below 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. Cumulative attributed theft now exceeds $6 billion since 2017.
The firm pointed to the $1.46 billion Bybit breach in 2025 as a key inflection point in North Korea’s recent activity profile. Since then, TRM said the operational cadence has remained consistent, with elite groups prioritizing fewer but higher-impact attacks targeting bridges, multisig governance systems, and cross-chain infrastructure.
TRM said the Drift and KelpDAO incidents highlight diverging laundering approaches. One group associated with Drift has left assets largely inactive after initial bridging to Ethereum and will likely “hold proceeds for months or years, then execute a structured, multi-phase cashout.”
The KelpDAO attackers, meanwhile, moved funds more rapidly through cross-chain swaps into Bitcoin via THORChain, with the ongoing laundering phase handled largely by Chinese intermediaries, not the North Koreans themselves, according to TRM.
Compliance monitoring priorities outlined by TRM include THORChain-linked flows from compromised bridge environments, multi-hop transaction tracing across bridge infrastructure, and screening of Solana governance-related deposit paths involving durable nonce transactions.
The firm also highlighted Beacon Network participation across exchanges and DeFi protocols as a mechanism for accelerating cross-platform alerting once North Korea-linked addresses are identified.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Trade Crypto On Coinhub Exchange
Trade Crypto On Coinhub Exchange
Stay ahead of the market by turning news insights into trading opportunities. With Coinhub Exchange, you can seamlessly buy, sell, and manage your digital assets, all in one secure platform. Take advantage of real-time market insights, deep liquidity, and fast execution for your favorite cryptocurrencies. Don’t just read about it — trade crypto now!
Disclaimer
The content of this article shown by Coinhub News, powered by The Block, is for informational purposes only and should not be construed as financial, legal, tax, or investment advice. Coinhub News and its affiliates are not a licensed financial advisor, legal advisor, broker, or tax advisor, and ... should not be considered as professional advice or a recommendation to engage in any specific investment, legal decision, or financial transaction. Cryptocurrency markets are highly speculative and volatile. Readers should perform their own independent research and consult with a qualified professional before making any financial or legal decisions. The opinions expressed in this article are those of the author and do not necessarily represent the views or opinions of the Company of its affiliates. Additionally, the Company does not make any representations or warranties regarding the accuracy, timeliness, reliability, or completeness of any information in this article. By accessing this content, you acknowledge that any reliance on the information contained in this article is solely at your own risk. The Company is not responsible for any financial losses, legal disputes, or other damages that may arise from reliance on this content or from any investment or legal decisions based on the information provided. Investing in cryptocurrencies involves substantial risks, including the risk of losing your entire investment, and you should carefully consider whether it is appropriate for your circumstances.
Read more
