North Korean actors extracted approximately $577 million through the first four months of 2026, a sum representing 76% of all global cryptocurrency hack losses during the period, according to blockchain intelligence firm TRM Labs.
The losses stem from two April incidents, including the $292 million KelpDAO exploit and the $285 million Drift Protocol attack, which TRM said in a report accounted for 3% of total hack incidents in 2026 through April.
According to the report, the Drift attack came from a North Korean subgroup separate from TraderTraitor, the well-documented Lazarus-affiliated operation, though specific attribution remains under investigation. The KelpDAO breach was the work of TraderTraitor, it said.
The Drift hack involved months of in-person meetings between North Korean proxies and Drift employees, the TRM team said, noting that staging of the attack began as early as March 11 before the attacker created durable nonce accounts on Solana and induced Drift's Security Council multisig signers to pre-authorize transactions.
The attacker then, on April 1, days after Drift had migrated its Security Council to a new 2/5 threshold configuration with zero timelock, deployed 31 pre-signed withdrawals to drain funds in a rapid execution phase lasting roughly 12 minutes, the team added. The funds were later bridged to Ethereum, where they have since remained largely dormant.
Meanwhile, the KelpDAO attack followed a different technical path, exploiting a single-verifier design in a LayerZero bridge by compromising RPC infrastructure and manipulating cross-chain validation logic, per the report.
TRM said attackers drained approximately 116,500 rsETH after forcing verification to fail over to compromised nodes, with subsequent laundering routed through cross-chain infrastructure, including THORChain, following partial asset freezes on Arbitrum.
The TRM team said North Korea’s share of global crypto hack losses has “accelerated” rather than plateaued, rising from below 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. Cumulative attributed theft now exceeds $6 billion since 2017.
The firm pointed to the $1.46 billion Bybit breach in 2025 as a key inflection point in North Korea’s recent activity profile. Since then, TRM said the operational cadence has remained consistent, with elite groups prioritizing fewer but higher-impact attacks targeting bridges, multisig governance systems, and cross-chain infrastructure.
TRM said the Drift and KelpDAO incidents highlight diverging laundering approaches. One group associated with Drift has left assets largely inactive after initial bridging to Ethereum and will likely “hold proceeds for months or years, then execute a structured, multi-phase cashout.”
The KelpDAO attackers, meanwhile, moved funds more rapidly through cross-chain swaps into Bitcoin via THORChain, with the ongoing laundering phase handled largely by Chinese intermediaries, not the North Koreans themselves, according to TRM.
Compliance monitoring priorities outlined by TRM include THORChain-linked flows from compromised bridge environments, multi-hop transaction tracing across bridge infrastructure, and screening of Solana governance-related deposit paths involving durable nonce transactions.
The firm also highlighted Beacon Network participation across exchanges and DeFi protocols as a mechanism for accelerating cross-platform alerting once North Korea-linked addresses are identified.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
