Meta description: TRM Labs confirms North Korean hackers stole $577M in 2026 via two attacks, representing 76% of all crypto hack losses year-to-date through April. Focus keyword: North Korea crypto hack 2026 Category: Blockchain News (ID: 54) Slug: north-korea-crypto-hack-76-percent-2026-trm-labs
Two hacking groups linked to North Korea’s Lazarus apparatus have stolen approximately $577 million in cryptocurrency so far in 2026 — representing a staggering 76% of all global crypto hack losses through the end of April, according to a new report from blockchain intelligence firm TRM Labs.
The findings underscore what security researchers have been warning about for years: North Korea has built the most productive state-sponsored cybercrime operation in history, and it targets cryptocurrency with a precision and scale that no other threat actor matches.
Both attacks happened in April. Together, they rank among the largest single-month theft totals ever recorded.
The Two Attacks Behind the Numbers
Attack 1: Drift Protocol — $285 Million
The first and larger of the two incidents targeted Drift, a decentralised perpetuals exchange built on the Solana blockchain. Attackers drained approximately $285 million from the protocol’s liquidity pools in a sophisticated multi-vector exploit that combined a smart contract vulnerability with a social engineering campaign against Drift’s internal team.
The attack moved fast. Within hours, funds were routed through a chain of mixing services and cross-chain bridges, with a substantial portion flowing into Ethereum before being funnelled toward over-the-counter brokers with lax know-your-customer standards — a laundering route that TRM Labs says has become a North Korean signature.
Attack 2: Kelp DAO — $292 Million
The second attack targeted Kelp DAO, a liquid restaking protocol on Ethereum. The $292 million haul was extracted over a 48-hour window through an oracle manipulation attack that allowed the attackers to drain collateral at artificial prices. The Kelp DAO incident triggered an emergency governance vote in the Arbitrum DAO, which subsequently voted 90% in favour of unlocking $71 million in frozen exploit-linked ETH — a measure intended to partially stabilise affected positions.
Together, the two April attacks accounted for $577 million out of an estimated total of $759 million in crypto hacks industrywide through April 2026, according to TRM Labs’ methodology.
A Pattern, Not an Anomaly
North Korea’s involvement in crypto theft is not new. TRM Labs estimates that Pyongyang-linked groups have stolen more than $6 billion in cryptocurrency since 2017, a figure that dwarfs the hack losses of any private criminal organisation by an order of magnitude.
The operation serves a clear state function. North Korea operates under sweeping international financial sanctions that cut it off from global banking, restricting its ability to import military components, fund weapons programmes, and pay foreign agents. Crypto theft fills that gap with hard currency that is difficult to trace and nearly impossible to freeze at the border.
TRM Labs identifies at least two distinct threat actor groups operating under North Korean direction in 2026. One, tracked under the label “Sapphire Sleet,” focuses on social engineering and supply chain compromises targeting DeFi developers. The second, linked to the longstanding Lazarus Group infrastructure, specialises in exchange and protocol-level technical exploits.
Why DeFi Keeps Losing
The concentration of 2026 losses in two DeFi protocols reflects a structural vulnerability that the industry has not yet solved. Centralised exchanges — Coinbase, Binance, Kraken — have invested heavily in cold storage, multi-signature controls, and third-party security audits. Their attack surfaces are narrower.
DeFi protocols, by contrast, are open-source, composable, and designed to be permissionless. That openness is their product — and their vulnerability. Smart contract audits catch some bugs, but oracle manipulation, governance attacks, and social engineering of developer keyholders are harder to audit away.
The $577 million figure also highlights the limits of on-chain forensics as a deterrent. Crypto’s transparency means every stolen dollar is trackable in theory. In practice, North Korea has demonstrated that sufficiently patient laundering operations — stretching across months, multiple blockchains, and dozens of intermediary wallets — can successfully cash out large sums before enough wallet addresses are sanctioned to make recovery realistic.
Industry Response and Regulatory Pressure
TRM Labs’ findings arrive on the same day that the U.S. Senate is holding its CLARITY Act markup — a bill that includes provisions specifically targeting illicit finance in crypto markets, including enhanced sanctions coordination and stricter requirements on bridges and mixers.
The United States Treasury has already sanctioned several mixers used in North Korean laundering operations, including Tornado Cash and Sinbad. But new tools emerge faster than sanctions lists update, and Pyongyang has demonstrated an ability to pivot rapidly to new laundering infrastructure.
Security experts are calling for mandatory exploit insurance requirements for DeFi protocols, real-time cross-chain transaction monitoring standards, and international coordination on sanctions targeting the OTC desks that accept North Korean crypto.
The Cumulative Picture
Since 2017, North Korea has stolen approximately $6 billion in cryptocurrency. To put that in context: – It exceeds the annual GDP of many United Nations member states – It is more than the total annual budget of several weapons development programmes – It represents a meaningful fraction of North Korea’s estimated total foreign currency reserves
The United Nations Panel of Experts has documented the direct link between crypto theft proceeds and North Korea’s ballistic missile programme. Stolen funds have been traced to procurement networks that acquired missile guidance components, material for solid-fuel rocket engines, and foreign technical expertise.
For the crypto industry, this is not just a cybersecurity problem. It is a geopolitical one.
Frequently Asked Questions
Who are the North Korean hacking groups behind the 2026 crypto thefts? TRM Labs identifies at least two distinct groups: one linked to the Lazarus Group, which specialises in large-scale technical exploits of exchanges and DeFi protocols, and a newer group referred to as “Sapphire Sleet,” which focuses on social engineering and supply chain attacks targeting DeFi developers.
How does North Korea launder stolen cryptocurrency? North Korean hackers typically route stolen funds through a combination of crypto mixers, cross-chain bridges, and OTC (over-the-counter) brokers with weak know-your-customer compliance. The process can take months and involves dozens of intermediate wallet addresses before funds are converted to fiat currency.
What can DeFi protocols do to protect against state-sponsored hackers? Recommended measures include comprehensive smart contract audits, oracle manipulation protections, multi-signature requirements for admin functions, real-time anomaly monitoring, and third-party security retainers with incident response capabilities. However, social engineering of developers remains difficult to prevent through technical means alone.
Sources: TRM Labs, The Block, crypto.news, gncrypto.news. Reported May 14, 2026.
