Two attacks. Seventy-six percent of all crypto stolen this year.
A new report from blockchain intelligence firm TRM Labs reveals that North Korean hacking groups have claimed a staggering share of 2026’s cryptocurrency theft losses through an approach that prioritises surgical precision over volume. The Drift Protocol breach on April 1 and the KelpDAO bridge exploit on April 18 together netted approximately $577 million — accounting for three-quarters of every dollar stolen from the crypto industry in the first four months of 2026.
The Two Attacks That Defined the Year
Drift Protocol — $285 million (April 1)
The Drift attack was three weeks in the making. TRM analysts found that the threat actors spent weeks staging their access, combining social engineering with technical infiltration to compromise the private keys of protocol signers. When the drain finally executed, it happened in roughly 12 minutes.
The stolen funds were initially moved across chains at speed in an apparent attempt to outpace any freeze response. Since then, the funds have gone quiet — a pattern TRM describes as dormancy that is consistent with North Korean groups allowing time to pass before beginning a laundering process.
KelpDAO — $292 million (April 18)
The KelpDAO hack exploited a design flaw in a LayerZero bridge — specifically, a single-verifier configuration that allowed the attacker to bypass multi-signature protections. The flaw was architectural rather than a result of a key compromise, making it a different class of attack than Drift.
The response was faster. Arbitrum’s ecosystem managed to freeze $75 million of the stolen funds before they could be moved. The remaining proceeds were routed through THORChain, which converted the stolen ETH to Bitcoin without any operator intervention to freeze or reject the transactions.
As of the TRM Labs report date, the KelpDAO funds are in the middle of what the firm calls a “textbook TraderTraitor liquidation process” — the name given to the laundering methodology used by a known North Korean sub-group.
THORChain: The Consistent Common Denominator
One of the most striking findings in the TRM report is the repeated use of THORChain as the bridge of choice for North Korea’s largest heists. The protocol also played a central role in laundering proceeds from the Bybit breach in February 2025 — still the largest single crypto hack in history at $1.46 billion.
THORChain’s design prioritises permissionless cross-chain swaps. No single operator can freeze funds or block transactions, making it structurally resistant to the kind of real-time intervention that allowed Arbitrum to freeze $75 million of the KelpDAO proceeds.
The protocol’s role in multiple high-profile North Korean laundering operations has reignited debate about whether fully permissionless infrastructure can coexist with the anti-money-laundering compliance frameworks that regulators increasingly demand from the broader crypto industry.
North Korea’s Growing Share of Crypto Theft
The numbers show a clear trend. North Korea’s share of total crypto hack losses has grown dramatically over the past six years:
- 2020–2021: Under 10% of total hack value
- 2022: 22%
- 2023: 37%
- 2024: 39%
- 2025: 64% (driven primarily by the Bybit breach)
- 2026 YTD: 76%
The trajectory is not explained by an increase in the number of attacks — North Korea’s hacking groups run a small number of highly targeted operations each year rather than a continuous stream of smaller hacks. Instead, TRM analysts point to increasing sophistication in target selection and attack execution.
“What has changed is the sophistication of the attacks themselves,” the report notes, adding that analysts are beginning to speculate that North Korean operators are improving their operational security and technical capabilities at a pace that outstrips the industry’s defensive improvements.
Cumulative Theft Now Exceeds $6 Billion Since 2017
The two 2026 attacks push North Korea’s total attributed crypto theft past $6 billion since 2017 — a figure that U.S. officials and the United Nations have repeatedly flagged as a significant source of funding for Pyongyang’s weapons programs.
The FBI, OFAC, and international law enforcement agencies have issued advisories and sanctions against several North Korean-linked groups, most notably Lazarus Group and the sub-group known as TraderTraitor. Despite these efforts, the groups continue to operate effectively.
What the Industry Can Do
TRM Labs’ report outlines defensive steps available to DeFi protocols and exchanges. The firm operates the Beacon Network — a coalition of more than 30 exchanges and DeFi protocols that share real-time intelligence when North Korean-linked funds reach participating institutions.
The Arbitrum ecosystem’s successful freeze of $75 million in KelpDAO funds illustrates what rapid coordination can achieve, even if it recovered less than a third of the total stolen. The Drift funds, by contrast, remain largely unrecovered, underscoring the difficulty of post-breach intervention once funds have been layered across chains.
For DeFi developers, the KelpDAO exploit carries a specific technical lesson: single-verifier bridge designs represent a systemic risk, and multi-signature requirements for cross-chain transactions should be treated as a minimum security baseline rather than an optional safeguard.
FAQ
Q: Which North Korean hacking group is responsible for the 2026 attacks?
TRM Labs attributes the attacks to North Korean state-sponsored hacking groups, with the KelpDAO laundering operation matching the methodology of a sub-group known as TraderTraitor. This group has been previously attributed to several major crypto heists and has been sanctioned by the U.S. Treasury’s Office of Foreign Assets Control.
Q: How did Arbitrum freeze $75 million of the KelpDAO proceeds?
Arbitrum’s ecosystem participants coordinated a rapid response after the hack was identified, leveraging the network’s governance structure to freeze specific addresses holding stolen funds on the Arbitrum chain. The remaining funds were already on the move through THORChain and could not be recovered through the same mechanism.
Q: Why is THORChain used repeatedly for laundering stolen crypto?
THORChain’s permissionless, decentralised design means no single operator can freeze funds or block transactions. This makes it resistant to the kind of real-time intervention available on more centralised networks. The protocol’s inability or unwillingness to block North Korean-linked transactions has made it the preferred bridge for the regime’s largest laundering operations.
