North Korean state-backed hacking groups stole $577 million in cryptocurrency in just two attacks during the first four months of 2026, accounting for 76% of all global crypto hack losses in that period. The findings come from a new report by blockchain intelligence firm TRM Labs, which says the regime’s operations are becoming sharper and faster than at any point in their history.
The attacks targeted Drift Protocol and KelpDAO, both major DeFi platforms. Taken together, the two heists represent North Korea’s most concentrated theft campaign on record — a dramatic escalation from a strategy that previously relied on volume of attacks not precision.
The Two Attacks
The first breach hit Drift Protocol, a Solana-based perpetuals exchange. TRM Labs described the attack as the result of a months-long infiltration campaign, in which North Korean operatives spent time physically embedded with the project team before executing the exploit. The operation resulted in around $285 million in losses.
The second attack struck KelpDAO, a liquid restaking protocol on Ethereum. That exploit was more technically conventional but equally devastating, draining roughly $292 million from the protocol. The Arbitrum DAO subsequently voted 90.9% in favor of unlocking $71 million in frozen KelpDAO ETH as part of recovery efforts.
TRM analyst Ari Redbord described the shift in approach in direct terms. “What we are watching is not a North Korean campaign that is broader — it is one that is sharper,” he said. “North Korea is moving faster and more precisely than ever.”
Cumulative Theft Since 2017
The TRM Labs report puts North Korea’s cumulative crypto theft at more than $6 billion across attributed incidents since 2017. That figure covers hacks, exchange breaches, protocol exploits, and social engineering campaigns.
The country’s hacking apparatus, attributed to the Lazarus Group and affiliated units, has evolved steadily over that period. Early operations targeted exchanges directly. More recent campaigns have shifted toward DeFi protocols, where smart contract vulnerabilities can be exploited at scale and fund recovery is nearly impossible without collective governance action.
The UN Panel of Experts has previously estimated that proceeds from crypto theft fund a significant portion of North Korea’s ballistic missile program. US Treasury has sanctioned numerous wallet addresses and laundering services associated with the operations.
Why DeFi Remains Vulnerable
DeFi protocols present a distinct security profile from centralized exchanges. Smart contract code is publicly visible, which enables community auditing but also gives attackers time to study it for exploits. Governance mechanisms can be slow to respond. Liquidity is deep, making it possible to drain large amounts quickly before circuit breakers or emergency pauses can be triggered.
The KelpDAO attack specifically exposed risks in cross-chain restaking architectures, where assets move between multiple blockchains and accumulate in contracts that serve as aggregation points. Security researchers have noted that these aggregation points represent high-value targets.
Drift Protocol’s breach raised different concerns — specifically about operational security in teams working on open-source protocols. The prolonged infiltration campaign suggests that North Korean operatives are now investing in social engineering and insider access as primary attack vectors, not just technical exploits.
Industry Response
Following the TRM Labs report, several major DeFi security firms published updated threat advisories. Audit firms noted a spike in inbound requests from protocols seeking additional reviews.
The Ethereum Foundation and Solana Foundation have both issued guidance to DeFi teams about operational security practices, including recommendations around team verification, access controls, and incident response planning.
On-chain security tooling has advanced considerably since the high-profile breaches of 2021 and 2022, but TRM’s data suggests that attackers are adapting faster than defenders in many areas. Circuit breakers and emergency pause mechanisms, while more common than in earlier DeFi cycles, did not prevent either of this year’s major losses.
Geopolitical Dimension
The concentration of losses in just two attacks is significant from a policy standpoint. Previous years saw dozens of smaller hacks that were harder to attribute and prosecute. Two large, well-documented attacks are easier to trace and attribute, but also demonstrate an escalation in ambition.
US lawmakers have cited North Korea’s crypto operations in debates over both the CLARITY Act and broader crypto regulation. Some members have argued that a clearer regulatory framework would give law enforcement more tools to track and recover stolen funds. Others have pushed for mandatory security standards on DeFi protocols above certain asset thresholds.
Neither proposal has been resolved in current legislation.
FAQ
How much has North Korea stolen through crypto hacks?
According to TRM Labs, North Korea has stolen more than $6 billion in cryptocurrency through attributed incidents since 2017. In the first four months of 2026 alone, it stole $577 million in two attacks.
Which platforms were hacked by North Korea in 2026?
TRM Labs attributed two major 2026 attacks to North Korea: Drift Protocol (around $285 million) and KelpDAO (around $292 million).
Can stolen crypto be recovered?
Recovery is rare and difficult. The Arbitrum DAO voted to unlock $71 million in frozen KelpDAO ETH, but the majority of stolen funds in North Korean operations get laundered through mixers and cross-chain bridges before law enforcement can act.
*Source: TRM Labs, The Block, CoinDesk, crypto.news*
