North Korean state-affiliated hackers stole $577 million worth of cryptocurrency in the first four months of 2026, representing 76% of all global crypto hack losses during the period — and they did it with just two attacks. That’s the finding from TRM Labs, the blockchain intelligence firm whose data is widely used by law enforcement agencies and compliance teams worldwide.
The figure is striking not just for its scale but for its concentration. Two incidents accounted for the bulk of Pyongyang’s haul, underlining a shift in tactics: North Korea’s Lazarus Group and affiliated units are no longer relying on a volume of smaller thefts. They are executing fewer, higher-value operations with surgical precision.
The Two Attacks Behind the Numbers
TRM Labs has not publicly named both targets in full detail, but reporting from multiple security firms has linked the 2026 losses to the Drift protocol exploit in late January — which yielded an estimated $300 million — and the KiloEx flash loan manipulation in February, which drained approximately $277 million before being partially reversed after negotiations with the protocol’s team.
North Korea denied the TRM data, as it has denied involvement in virtually every major hack attributed to its operatives over the past decade. The denials have carried little weight with international investigators, who have traced the movement of stolen funds through mixer services and cross-chain bridges in patterns consistent with Lazarus Group methodology.
76% Is a Record
To put the figure in context: TRM Labs noted that North Korean hackers have accounted for at least a third of all financial losses from cryptocurrency hacking in six of the past nine years. The 76% figure for the January-to-April 2026 period is the highest sustained share on record.
The cumulative total stolen by DPRK-linked actors since 2017 now exceeds $6 billion, according to TRM’s running tally — a figure that makes North Korea’s cyber operation one of the most financially productive state-sponsored programs in modern history. The regime uses the proceeds to fund weapons development, sanctions analysts say.
Last year’s spike was driven in part by the historic $1.46 billion Bybit breach in February 2025 — still the single largest crypto theft ever recorded — which alone pushed DPRK’s annual take to exceptional levels. The 2026 numbers suggest that pattern is not a one-off.
How They Do It
Lazarus Group has refined its approach over years of practice. Recent attacks have moved away from direct protocol exploits toward supply chain compromises — infiltrating the development tools, NPM packages, or code repositories used by crypto projects to insert malicious code that exfiltrates private keys before anyone notices.
In the KiloEx case, investigators identified compromised developer credentials as the initial access vector. The Drift exploit involved a more sophisticated oracle manipulation strategy, though analysis is still ongoing.
Once funds are stolen, the movement of assets follows a recognizable pattern: rapid conversion to ETH or BTC through decentralized exchanges, then mixing through Tornado Cash successors and layering through multiple bridges before ending up in OTC markets where traders convert to fiat — often in jurisdictions with limited regulatory oversight.
The Industry’s Response
The scale of North Korea’s 2026 activity has renewed calls for mandatory security audits in the DeFi space. Several U.S. lawmakers have cited TRM’s data in hearings related to the CLARITY Act, arguing that any federal regulatory framework must include security baseline requirements for protocols with over $100 million in total value locked.
The Financial Action Task Force (FATF) flagged North Korea’s crypto operations as a primary concern in its last global risk assessment. Several exchanges have tightened their on-chain screening procedures in response, and the Treasury’s OFAC unit added 23 new wallet addresses to its sanctions list in March — the largest single update to the crypto sanctions list in two years.
DeFi Is the Primary Target
TRM’s data makes clear that decentralized finance protocols remain far more exposed than centralized exchanges, which have generally improved their security posture following the Binance hack of 2023 and the Bybit breach. DeFi’s open-source nature, reliance on complex smart contract interactions, and the speed at which new protocols launch create a persistent attack surface.
“The open composability that makes DeFi powerful is also what makes it exploitable,” one blockchain security researcher told CryptoGazette. “Every new money lego is a potential entry point if the developers didn’t get the oracle logic exactly right.”
The data suggests the problem is not improving. Total DeFi hack losses for the first four months of 2026 track slightly above the same period in 2025, even after factoring out the North Korea-attributed incidents.
FAQ
How much has North Korea stolen in crypto overall?
According to TRM Labs, DPRK-linked actors have stolen over $6 billion in cryptocurrency since 2017, making it the most prolific state-sponsored cyber theft operation on record.
What is the Lazarus Group?
Lazarus Group is a North Korean state-sponsored hacking organization linked to numerous high-profile cyber attacks, including the 2016 Bangladesh Bank heist and multiple large-scale cryptocurrency thefts.
How does North Korea use stolen crypto?
Analysts and government agencies believe North Korea converts stolen cryptocurrency to fiat through OTC brokers in lightly regulated markets and uses the proceeds to fund its weapons and missile development programs.
—
Sources: TRM Labs, crypto.news, TrollEye Security, ChainUP Research
