Blockchain intelligence firm TRM Labs reports that groups tied to North Korea have seized a commanding share of cryptocurrency thefts early in 2026. By the close of April, these operations accounted for approximately 76 percent of all documented hack-related losses, pulling in about $577 million from only a pair of meticulously planned incidents. TRM Labs pointed out that the pattern stands out not for volume but for impact.
The two breaches—the April 1 exploit of Drift Protocol and the April 18 attack on KelpDAO’s bridge—made up just 3 percent of the year’s total hack incidents yet delivered the lion’s share of stolen value.
This mirrors North Korea’s long-standing playbook: fewer, higher-value targets rather than frequent low-level raids.
Their portion of global crypto thefts has climbed steadily—from below 10 percent in 2020 and 2021 to 22 percent in 2022, 37 percent in 2023, 39 percent in 2024, and 64 percent in 2025—before reaching this year’s early peak of 76 percent.
The Drift Protocol incident netted roughly $285 million from the leading Solana-based decentralized perpetuals exchange.
Preparation stretched over months and included an unusual element: in-person meetings between North Korean proxies and platform insiders.
On-chain activity began in mid-March with a small withdrawal from a privacy mixer, followed by the creation of durable nonce accounts.
Attackers persuaded members of the security council to pre-sign transactions using this Solana feature, which keeps approvals valid indefinitely.
They also introduced a fabricated collateral token through wash trading to manipulate oracles.
On the day of the heist, 31 withdrawals cleared in about 12 minutes, with most assets swiftly bridged to Ethereum and then converted to ETH.
Those funds have remained untouched since, consistent with a deliberate, extended cash-out strategy employed by one of the implicated subgroups.
Two weeks later, the KelpDAO breach extracted around $292 million by targeting its rsETH LayerZero bridge on Ethereum.
Hackers first infiltrated internal RPC nodes and replaced their software to supply false blockchain data.
A distributed denial-of-service assault then overwhelmed the legitimate external nodes, forcing the single verifier to rely on the poisoned sources.
With only one verifier required for confirmation, the system approved a fraudulent burn message, allowing the massive drain of roughly 116,500 rsETH tokens.
Initial funding for the attack traced back years to wallets linked to a previously indicted Chinese broker and another recent TraderTraitor operation.
After the theft, about $75 million worth of ETH was frozen on Arbitrum through emergency action by its security council, but the remainder was routed through THORChain—the same service heavily used in North Korea’s record 2025 Bybit heist—to convert stolen ETH into Bitcoin.
The contrasting post-theft paths reveal operational flexibility. One group favors rapid conversion followed by prolonged dormancy; the other demonstrates resilience by pivoting infrastructure after partial freezes.
THORChain has emerged as a preferred conduit across multiple major North Korean hauls, processing hundreds of millions without intervention from operators.
Cumulatively, Pyongyang-linked actors have now extracted more than $6 billion in attributed crypto thefts since 2017.
Analysts suggest the rising precision may involve AI-assisted reconnaissance and social engineering, moving beyond traditional private-key compromises.
Industry responses include expanded use of multi-verifier bridge designs and collaborative monitoring platforms that issue real-time alerts across exchanges and DeFi protocols when suspect funds surface.
TRM Labs concluded in the research report that as decentralized finance continues to grow, these concentrated, high-sophistication strikes underscore the sector’s vulnerability to state-backed adversaries who treat major protocols as strategic targets rather than opportunistic marks. Security teams are now racing to close the gaps exposed by these latest operations.