In a striking report by blockchain intelligence firm TRM Labs, it was revealed that North Korean hacking groups stole an eye-watering $577 million in cryptocurrency across two incidents in April 2026. This massive haul represents 76% of all global crypto hack losses during the first four months of 2026. The thefts, attributed to North Korean actors, include the $292 million KelpDAO exploit and the $285 million Drift Protocol attack. Together, they account for just 3% of the total number of hacking incidents this year but a staggering 76% of the financial losses.
Since 2017, North Korean cybercriminals have been responsible for over $6 billion in stolen cryptocurrency, marking the country as one of the most prolific players in the global crypto theft landscape. The TRM Labs report highlights that these recent attacks continue the trend of rising losses attributed to North Korean groups, whose share of global crypto thefts has accelerated significantly in recent years.
A Deeper Look at the April Incidents
The first of the two high-profile attacks, the KelpDAO breach, was carried out by the notorious TraderTraitor subgroup, a group linked to the Lazarus Group. The attackers exploited vulnerabilities in a LayerZero bridge, manipulating cross-chain validation logic to compromise RPC infrastructure and ultimately steal around 116,500 rsETH. The attackers forced verification to fail and routed the stolen funds through cross-chain infrastructure, including THORChain, after partial freezes were applied to Arbitrum assets.
The second attack, targeting Drift Protocol, took a different approach. TRM Labs reported that the Drift hack involved months of planning and in-person meetings between North Korean operatives and Drift employees. The attackers set the stage for the hack as early as March 11, when they created durable nonce accounts on the Solana blockchain. In a carefully orchestrated execution on April 1, the attackers exploited vulnerabilities in Drift’s governance system, draining the protocol’s funds in a rapid 12-minute window. The stolen assets were subsequently bridged to Ethereum, where they have remained dormant since the attack.
The TRM Labs team notes that the KelpDAO and Drift incidents represent divergent approaches to laundering the stolen assets. The Drift attackers appear to have adopted a long-term strategy, with the stolen funds left largely inactive for now, potentially to be cashed out through a multi-phase operation in the future. Conversely, the KelpDAO attackers moved funds more quickly, utilizing THORChain to exchange the stolen assets into Bitcoin, with Chinese intermediaries likely handling the laundering process.
North Korea’s Growing Influence in Crypto Theft
The frequency and scale of North Korean crypto hacks have been increasing in recent years. According to TRM Labs, North Korea’s share of global crypto thefts has grown substantially, from below 10% in 2020 and 2021 to 22% in 2022, and reaching 39% in 2024. In 2025, North Korean hackers were responsible for 64% of all global crypto hack losses, underscoring their growing dominance in this illicit sector. The $1.46 billion Bybit breach in 2025 marked a key turning point, after which North Korea’s hacking groups began to prioritize fewer but higher-impact attacks, targeting high-value assets like bridges, multisig governance systems, and cross-chain infrastructure.
TRM Labs pointed out that the operational cadence of North Korean cybercriminals has become increasingly focused on large-scale attacks rather than a scattergun approach. These elite groups now favor more strategic, impactful hacks that can yield large sums, especially targeting high-value crypto assets and sophisticated cross-chain systems. The attacks on Drift Protocol and KelpDAO are prime examples of this refined operational strategy, where the focus is on exploiting security flaws in critical infrastructure rather than opportunistic breaches.
Diverging Laundering Strategies
Another key element of the report is the contrast in laundering strategies employed by different North Korean groups. While the Drift hack has seen funds left largely inactive on Ethereum, suggesting a longer-term laundering process, the KelpDAO attackers moved funds quickly and made use of Chinese intermediaries for the laundering phase. This division in laundering techniques highlights the level of sophistication and variation among North Korean hacker subgroups.
TRM Labs noted that these laundering strategies require specific compliance monitoring measures, such as tracking cross-chain flows from compromised bridges and tracing multi-hop transactions across bridge infrastructure. The firm emphasized the need for increased vigilance in monitoring Solana-related transactions, particularly those involving nonce-based transactions that have been used in recent hacks.
The Path Forward: Compliance and Monitoring
As North Korean hacking groups continue to dominate the crypto theft landscape, compliance and monitoring efforts must evolve to address the growing threats. TRM Labs has outlined several key priorities for monitoring these activities, including tracking THORChain-linked flows from compromised bridge environments and enhancing cross-platform alerting through Beacon Network participation.
The firm also recommended greater scrutiny of Solana-related deposit paths and governance activities, particularly those involving nonce-based transactions. As the crypto space continues to expand, with increasingly sophisticated attacks from state-sponsored groups like North Korea, these strategies will be crucial in mitigating further losses.
Conclusion: A Rising Threat
The $577 million in stolen funds during the first four months of 2026 serves as a stark reminder of the growing threat posed by state-sponsored hackers in the cryptocurrency ecosystem. As North Korea continues to accelerate its attacks and refine its operational strategies, the crypto community must remain vigilant in protecting its assets. With the global crypto theft total exceeding $6 billion since 2017, North Korean hacking groups are showing no signs of slowing down, and the industry’s response must keep pace with the increasingly sophisticated tactics employed by these cybercriminals.
Analysis:
So, here we are again. North Korea has turned crypto hacking into a near-annual ritual, this time taking an astounding $577 million in just two attacks during April 2026. That’s no small sum. But what’s even more concerning is that these two incidents now represent a shocking 76% of all global crypto thefts in 2026 so far. In other words, these attacks, which made up only 3% of total hacking incidents, are bleeding the crypto industry dry.
I can’t help but wonder how long this trend is going to continue. North Korea is clearly doubling down on its approach. These aren’t your run-of-the-mill opportunistic hacks; we’re talking about highly planned, targeted operations designed to extract massive amounts of value from crypto ecosystems. And while it’s not new to hear that North Korean hackers are behind major crypto breaches, the speed and scale of their operations are accelerating.
For instance, the Drift Protocol attack was a masterpiece of patience and planning. Months of groundwork, in-person meetings between North Korean proxies and Drift employees—these guys weren’t just executing an attack; they were laying the foundation for a multi-step, highly orchestrated theft. That’s a level of sophistication we haven’t seen much before in these types of hacks. Sure, we’ve always known about the Lazarus Group and its elaborate schemes, but this feels like a whole new chapter.
And then you’ve got the KelpDAO attack, which is equally impressive but in a different way. The attackers exploited a technical vulnerability in the LayerZero bridge, essentially manipulating cross-chain validation logic to bypass security. They didn’t need months of groundwork here—they just needed to know where to hit, and they did it with surgical precision. This is the hallmark of an advanced, well-funded operation. These are hackers who know the crypto space inside and out.
But what really struck me about this report is the shift in the laundering tactics. North Korean groups are diversifying their strategies, and that’s making them harder to track. The KelpDAO hackers used THORChain to move funds rapidly through cross-chain swaps into Bitcoin, with Chinese intermediaries handling the laundering. Meanwhile, the Drift hackers seem to be playing the long game, holding onto their stolen assets and letting them sit dormant for now. Both approaches show the depth of planning and the high stakes involved in these operations.
One thing is clear: these attacks aren’t just a minor nuisance—they’re a fundamental challenge to the crypto ecosystem’s security. These hackers aren’t operating like typical cybercriminals. They’re state-sponsored actors with resources, skill, and the ability to refine their methods over time. They’re patient, they’re methodical, and they’re getting better at it.
Looking forward, the crypto industry has to step up its game. Compliance and monitoring need to evolve faster than these attacks do. The TRM Labs recommendations are spot on—tracking THORChain flows, monitoring multi-hop transactions, and keeping a close eye on Solana governance paths will be crucial in stopping these types of breaches. But even more importantly, the industry needs to recognize that these aren’t just random bad actors—they’re sophisticated, coordinated attacks backed by a nation-state.
As the threat grows, the response from the crypto community will have to become just as sophisticated. Otherwise, we’re going to keep seeing these massive hacks draining the industry dry.
Disclaimer
This article is for informational and educational purposes only and does not constitute financial, investment, trading, or legal advice. Cryptocurrencies, memecoins, and prediction-market positions are highly speculative and involve significant risk, including the potential loss of all capital.
The analysis presented reflects the author’s opinion at the time of writing and is based on publicly available information, on-chain data, and market observations, which may change without notice. No representation or warranty is made regarding accuracy, completeness, or future performance.
Readers are solely responsible for their investment decisions and should conduct their own independent research and consult a qualified financial professional before engaging in any trading or betting activity. The author and publisher hold no responsibility for any financial losses incurred.