North Korean state-backed hackers have stolen $577 million in cryptocurrency through just two attacks in 2026, representing 76% of all crypto hack losses globally in the first four months of the year. That finding, published this week by blockchain intelligence firm TRM Labs, underscores a shift in the threat landscape: Pyongyang isn’t launching more attacks – it’s launching bigger ones.
The two incidents, both occurring in April, each targeted decentralized finance infrastructure and resulted in losses that far exceeded the total from all other crypto exploits combined during the same period. By comparison, all other hacking groups combined accounted for just 24% of global losses – across three times as many individual incidents.
The Numbers Behind the Report
TRM Labs tracked $762 million in total crypto hack losses across the first four months of 2026. North Korean-attributed groups – primarily the Lazarus Group and its affiliated DPRK cyber units – were responsible for $577 million of that total.
That ratio – 76% of all losses, from just 2 out of 66 total incidents – reflects a fundamental change in attack methodology. Earlier waves of North Korean crypto theft relied on high-volume, lower-value exploits targeting individual wallets and smaller protocols. The 2026 campaigns have shifted decisively toward large, structurally complex attacks against high-value DeFi targets.
“The DPRK isn’t trying to rack up incident counts,” TRM Labs wrote in the report. “they’re concentrating resources on targets where a single operation can yield hundreds of millions.”
Cumulative Theft Now Tops $6 Billion Since 2017
The 2026 haul pushes North Korea’s cumulative crypto theft above $6 billion in attributed incidents since 2017, when TRM Labs began formally tracking DPRK-linked activity. That figure makes Pyongyang by far the most prolific state-sponsored cyber theft operation in history – eclipsing every other nation-state actor combined.
For context: North Korea’s official government budget is estimated by analysts at roughly $4 billion annually. Crypto theft has become a meaningful supplement to foreign exchange reserves for a country under severe international sanctions.
The U.S. Treasury Department, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) have each issued advisories warning that North Korean hackers continue to specifically target crypto exchanges, DeFi protocols, and venture-backed Web3 firms for recruitment-to-exploit campaigns where operatives spend months embedded inside target organizations before executing a drain.
The Drift Protocol Attack: Inside a $285 Million Long Con
One of the two April incidents targeted Drift Protocol, a Solana-based perpetual futures exchange. According to CoinDesk’s reporting on the aftermath, North Korean operatives posed as software engineers and spent months cultivating relationships inside the Drift development team before gaining privileged access to key infrastructure.
The attack resulted in approximately $285 million in losses and triggered a cascade of liquidations across Solana’s DeFi system. Drift has since announced a recovery plan, but the incident raised urgent questions about how DeFi protocols vet contributors and manage access to sensitive systems.
The second April incident hasn’t been publicly attributed by name but involved a similar social engineering component – a pattern TRM Labs describes as a “long con” methodology that distinguishes DPRK hackers from opportunistic criminal groups.
How North Korea’s Share Has Grown
TRM Labs data shows North Korea’s share of global crypto hack losses has risen sharply in recent years: from 22% in 2022 to approximately 44% in 2023, 58% in 2024, 71% in 2025, and now 76% in the first four months of 2026.
The escalation correlates with two factors: increasing protocol value locked in DeFi targets, and improving operational sophistication from DPRK hacking units that have had nearly a decade to refine their techniques against the crypto sector specifically.
What the Industry Is Doing About It
Several blockchain security firms, including Chainalysis, Elliptic, and TRM Labs itself, have partnered with exchanges to flag DPRK-linked wallet addresses in real time. Major centralised exchanges now refuse to process withdrawals from flagged addresses, forcing North Korean operatives to route stolen funds through increasingly complex mixing and bridging sequences before cashing out.
The FBI has disrupted several cash-out pipelines in coordination with international partners, but analysts say that North Korean groups consistently adapt faster than enforcement can respond.
For DeFi protocols specifically, the recommendations are increasingly focused on operational security rather than on-chain monitoring: rigorous background checks for contributors, hardware security keys for admin functions, and multi-party authorization requirements for any transaction above a defined threshold.
FAQ
how’s North Korea able to steal crypto at this scale? DPRK hacking units – primarily the Lazarus Group – combine sophisticated social engineering with elite technical skills. They often spend months inside target organizations as fake employees before executing an attack. The decentralised nature of DeFi protocols, which often have small teams and open-source codebases, makes them particularly vulnerable to insider-access exploits.
What happens to stolen crypto after North Korea takes it? Stolen funds are typically moved through a series of mixers, cross-chain bridges, and over-the-counter brokers to obscure the trail and convert to fiat currency. The UN has documented that these funds flow directly to North Korea’s weapons programs.
Can stolen crypto be recovered? Recovery is rare. In some cases, protocols have negotiated with attackers to return funds in exchange for a “white-hat bounty.” Law enforcement has frozen some assets on centralised platforms, but funds that reach privacy-focused protocols or Monero are effectively unrecoverable.
— *Sources: TRM Labs, CoinDesk, The Block, Crypto.news, CNBC*
