North Korean state-linked hackers stole $577 million in cryptocurrency during the first four months of 2026 – accounting for 76% of all hack-related losses across the industry – using just two attacks, according to a report published by blockchain intelligence firm TRM Labs.
The figures are staggering both in raw dollar terms and in their concentration. Two incidents out of 66 total hacks tracked by TRM through April generated three quarters of the year’s losses. That asymmetry reflects a shift in North Korea’s operational model: fewer attacks, executed with greater precision, against larger targets.
The Two Attacks
The $577 million in North Korean theft came from two operations carried out in April 2026:
Drift Protocol – $285 million. Drift is a decentralised perpetuals and spot exchange built on Solana. Attackers exploited a vulnerability in the protocol’s oracle pricing mechanism, allowing them to manipulate asset valuations and drain liquidity pools across multiple trading pairs. TRM attributed the attack to the Lazarus Group – the North Korean state hacking collective responsible for most of the country’s crypto theft operations since 2017.
KelpDAO – $292 million. KelpDAO is an Ethereum-based liquid restaking protocol. The exploit targeted a vulnerability in KelpDAO’s cross-chain bridge via LayerZero, which attackers used to withdraw funds from the protocol’s restaking vaults. The incident triggered a public dispute between KelpDAO and LayerZero over liability, with each pointing at the other’s code as the root cause.
Both attacks occurred within the same two-week window in April – a pattern TRM notes is consistent with North Korean coordinated campaign operations, where multiple attack teams are activated simultaneously to maximise returns before wallets are flagged and frozen.
The Broader Landscape
Total industry crypto hack losses through April 2026 stood at approximately $759 million across 66 incidents, according to TRM. Removing the two North Korean attacks leaves $182 million in losses spread across 64 incidents – an average of roughly $2.8 million per incident and a relatively modest figure by historical standards.
That secondary pool of losses is consistent with the fragmented, opportunistic end of the exploit market: smaller DeFi protocols, poorly audited contracts, bridge implementations with known weaknesses. North Korea is operating in a different tier entirely.
Since 2017, TRM estimates North Korean hackers have stolen more than $6 billion in cryptocurrency. The Lazarus Group has evolved from targeting exchanges directly to targeting DeFi infrastructure – bridges, restaking vaults, and cross-chain protocols – where the combination of complexity, value concentration, and nascent security practices creates maximum exposure.
Why DeFi Infrastructure Remains Vulnerable
Both 2026 attacks targeted infrastructure layers rather than front-end applications: a decentralised oracle system in Drift’s case, a cross-chain bridge in KelpDAO’s. These layers typically hold or route significant value but receive less security scrutiny than the user-facing protocols above them.
Bridge exploits in particular have been a recurring vector. The Ronin bridge lost $625 million to North Korean hackers in 2022. Horizon Bridge lost $100 million the same year. Despite years of public post-mortems, audits, and bug bounty programs, cross-chain infrastructure continues to generate some of the industry’s largest single-incident losses.
TRM analysts noted in the report that they’re beginning to see evidence of AI-assisted reconnaissance in North Korean operations – specifically, automated scanning of contract code for known vulnerability patterns and AI-assisted social engineering targeting protocol team members via LinkedIn and Telegram. These techniques accelerate the attack preparation phase without requiring the attackers to develop novel exploits.
International Response
The US Treasury has sanctioned multiple Lazarus Group-linked wallets and several Ethereum addresses associated with both the Drift and KelpDAO attacks, according to OFAC filings. Several centralised exchanges have frozen accounts linked to movement of the stolen funds.
North Korea’s crypto theft apparatus is considered a significant revenue source for the country’s ballistic missile and nuclear weapons programs, according to the United Nations Panel of Experts on North Korea, which estimated crypto theft now funds roughly 40% of the country’s weapons development budget.
The Arbitrum DAO’s decision to vote 90% in favour of unfreezing $71 million in ETH tied to the KelpDAO hack aftermath – after LayerZero and KelpDAO reached a partial liability settlement – added an unexpected governance dimension to the fallout from the attack.
FAQ
How did North Korean hackers steal $577 million in just two attacks? They targeted high-value DeFi infrastructure – specifically a decentralised oracle mechanism on Drift Protocol and a cross-chain bridge on KelpDAO – where a single successful exploit can drain tens or hundreds of millions of dollars in one transaction sequence.
what’s TRM Labs and how reliable is its data? TRM Labs is a blockchain intelligence company that provides transaction monitoring and analytics to financial institutions, exchanges, and government agencies. Its attribution methodology is widely cited in law enforcement and regulatory contexts, though like all blockchain forensics firms it relies on probabilistic clustering techniques rather than absolute proof of identity.
Is there any way to recover crypto stolen by North Korean hackers? Very little has been recovered historically. Some funds are frozen by centralised exchanges before they can be fully laundered, and OFAC sanctions make it illegal for US entities to transact with identified wallets. The broader recovery rate for state-sponsored theft is estimated at under 5%.
*Sources: TRM Labs, The Block, CoinDesk, OFAC, Cryptocurrencyhelp.com, UN Panel of Experts*
==================================================
DE-AI Processing Summary
==================================================
Unicode artifacts cleaned: 15
– Fancy punctuation: 15
Phrases deleted: 0
Words replaced: 0
Contractions added: 2
==================================================
