Two hacks. $577 million. Seventy-six percent of every dollar stolen from the crypto industry in 2026 to date.
That’s the tally from TRM Labs, the blockchain intelligence firm, which published its analysis of crypto theft through April 2026. North Korean state-sponsored hacking groups carried out both attacks — each attributed to a distinct unit operating under Pyongyang’s cyber apparatus — and the concentration of losses in a single threat actor is the highest TRM has recorded in any comparable window.
The Two Attacks
The first hit Drift Protocol on April 1. The Solana-based perpetuals exchange lost $285 million. TRM’s on-chain forensics showed that pre-positioning inside Drift’s infrastructure began on March 11 — the attackers spent three weeks preparing before executing the drain.
That preparation included in-person meetings between North Korean proxies and exchange personnel in the period leading up to the breach. The attack combined smart contract exploitation with targeted social engineering against individuals who held privileged access — a hybrid approach that’s become a hallmark of North Korean operations against crypto targets.
The second attack struck a separate platform in late April, extracting $292 million. Details on that target remain more limited, but TRM’s attribution methodology — tracing wallet flows, analyzing on-chain timing patterns, and cross-referencing against known North Korean infrastructure — identified the same state apparatus as responsible.
Total year-to-date North Korean crypto theft since 2017 now exceeds $6 billion, according to TRM’s cumulative tracking. The pace isn’t slowing.
Why Crypto Keeps Getting Hit
North Korea targets crypto for structural reasons, not opportunistic ones. Sanctions have severed Pyongyang’s access to the international banking system. Crypto provides a workaround: value that can move across borders without correspondent banking infrastructure, semi-anonymously, entirely through software.
The tradecraft has matured considerably since the early exchange hacks of 2017-2018. Recent operations show multi-week preparation timelines, supply chain attack vectors, and in-person social engineering that goes well beyond the script-kiddie stereotype sometimes attached to state-sponsored hacking. The Drift attack’s March 11 preparation date — twenty-one days before the April 1 execution — makes that clear.
After a theft, stolen funds typically move through a laundering sequence: DeFi protocols to break the on-chain trail, cross-chain bridges to shift between networks, peer-to-peer exchanges in jurisdictions outside U.S. enforcement reach, and eventually conversion to fiat through channels the U.S. can’t touch. The blockchain’s transparency creates a forensic record, but that record alone doesn’t prevent the laundering — it just documents it.
Sanctions and Their Limits
The U.S. Treasury’s Office of Foreign Assets Control has designated North Korean-linked wallet addresses repeatedly. An OFAC designation forces regulated exchanges to screen against the address, cutting off the sanctioned wallet from the compliant on-ramps that make stolen crypto liquid.
But sanctions against a state actor who doesn’t need dollar access to operate are inherently limited. North Korea doesn’t have correspondent banking to lose. The secondary pressure — sanctions on exchanges and services that process North Korean funds — has more bite, but enforcement requires identifying the intermediaries, which takes time the attackers use to move funds further down the laundering chain.
In the first quarter of 2026 alone, Treasury sanctioned six Ethereum wallets linked to the Sinaloa Cartel’s cryptocurrency network — a separate operation that illustrates the same enforcement dynamic. The designation was real, the legal exposure for exchanges was real, but the funds were already in motion.
What the Industry Is Doing About It
TRM Labs’ report has accelerated conversations about baseline security standards for DeFi protocols. The Drift attack’s success despite the existence of smart contract auditing, bug bounties, and documented operational security practices has forced a harder look at what “adequate” actually means when the adversary is a state-funded team with months to prepare.
Several protocols announced security reviews in the weeks following the Drift disclosure. The most concrete near-term responses involve time-locks on large fund movements — a mechanism that forces a mandatory delay between a transfer request and execution, giving security teams time to catch anomalies before funds leave. Multi-signature governance thresholds for privileged operations are also getting renewed attention.
For 2026 as a whole, TRM’s projections put North Korea’s trajectory on pace to exceed the $1.5 billion attributed to Pyongyang for full-year 2024, barring a significant change in either the industry’s security posture or the geopolitical environment that funds the program.
Frequently Asked Questions
How much has North Korea stolen from crypto in 2026?
$577 million through April 2026, across two attacks — 76% of all global crypto hack losses in that period, according to TRM Labs. Total North Korean crypto theft since 2017 now exceeds $6 billion.
What was the Drift Protocol hack?
Drift Protocol, a Solana-based perpetuals exchange, lost $285 million on April 1, 2026. TRM Labs traced preparation activity beginning March 11, with on-chain evidence and intelligence indicating that North Korean proxies held in-person meetings with exchange personnel before the attack.
Why does North Korea focus on cryptocurrency theft?
Cryptocurrency offers a sanctions workaround — value that can move across borders without the correspondent banking infrastructure that North Korea has been cut off from. Stolen funds are laundered through DeFi protocols, cross-chain bridges, and peer-to-peer exchanges before conversion to fiat in jurisdictions outside U.S. enforcement reach.
