North Korea Stole 76% of All 2026 Crypto Hack Losses With Just Two Attacks, TRM Labs Finds
North Korea’s state-sponsored hacking apparatus has stolen $577 million in just two attacks in 2026 — accounting for 76% of all crypto hack losses through April, according to a new report from blockchain intelligence firm TRM Labs. The findings reveal an accelerating concentration of global crypto theft in Pyongyang’s hands, with cumulative illicit profits since 2017 now topping $6 billion.
The two attacks — targeting Drift Protocol and KelpDAO — together represent the most financially destructive pair of crypto exploits executed by a single nation-state in blockchain history.
The Two Attacks That Defined 2026’s Hack Landscape
Drift Protocol
Drift Protocol, a Solana-based perpetuals and spot DEX, was the target of the first major North Korean exploit of 2026. The attack drained funds through a sophisticated combination of smart contract exploitation and cross-chain bridging techniques that have become hallmarks of the Lazarus Group and its affiliated units.
KelpDAO
KelpDAO, an Ethereum liquid restaking protocol, was hit in a separate attack — with the aftermath visible in the Arbitrum DAO’s recent 90.9% vote to unlock $71 million in frozen exploit-related ETH held in a DAO treasury. The scale of the KelpDAO exploit contributed significantly to North Korea’s running total for the year.
Together, the two hacks account for $577 million — compared to total global crypto hack losses through April 2026 of approximately $759 million. The remaining 24%, roughly $182 million, was divided among dozens of smaller incidents by unaffiliated actors.
A Decade of Escalating Theft
TRM Labs’ data charts a relentless upward trajectory in North Korea’s share of global crypto theft:
| Year | North Korea’s Share |
|---|---|
| 2022 | 22% |
| 2023 | 37% |
| 2024 | 39% |
| 2025 | 64% |
| 2026 (through April) | 76% |
The trend reflects two simultaneous dynamics: the growing technical sophistication of North Korean cyber units, and the relative decline of other major hack actors who have either been arrested, disrupted by law enforcement, or shifted tactics.
Total theft since 2017 now exceeds $6 billion — funds that the U.S. Treasury, UN, and intelligence agencies have consistently assessed are used to finance North Korea’s weapons programs, including its ballistic missile development.
How North Korea Steals Crypto
North Korean hacking units — most notably the Lazarus Group and its offshoots BlueNoroff and AppleJeus — have developed a distinctive operational playbook:
Social engineering: Attackers impersonate developers, recruiters, and investors on LinkedIn, Telegram, and GitHub to gain access to private keys or internal systems.
Malicious code packages: Compromised npm packages, fake job test files, and weaponized code repositories deliver malware to developer machines.
Cross-chain laundering: Once funds are stolen, they are rapidly moved through mixers (including Tornado Cash and newer privacy tools), cross-chain bridges, and peer-to-peer exchanges in jurisdictions with limited AML enforcement.
Hiring of outsourced developers: A parallel program involving thousands of North Korean nationals posing as freelance developers globally generates additional revenue while potentially creating insider access at crypto projects.
The Security Implications for DeFi
The concentration of hack losses in two large-scale, highly sophisticated attacks rather than dozens of smaller incidents suggests North Korean units are increasingly targeting high-value protocols with complex attack vectors — rather than the simpler rug-pulls and flash loan attacks that characterized the 2021–2022 DeFi hack wave.
For protocol teams, the implication is that standard audit practices — which focus on code-level vulnerabilities — may be insufficient. Social engineering of team members, supply chain attacks on developer toolchains, and operational security gaps represent attack vectors that code audits do not address.
Several leading blockchain security firms have responded by expanding their “human security” offerings — encompassing developer OPSEC training, insider threat monitoring, and red-teaming exercises designed to simulate state-sponsored intrusion campaigns.
International Response
The United States, South Korea, and Japan have expanded coordination on North Korea-linked crypto sanctions, with OFAC adding new wallet clusters linked to the 2026 attacks to its SDN list. Asset recovery has remained limited — TRM Labs estimates less than 5% of North Korean-stolen crypto has been successfully seized or frozen.
The Arbitrum DAO’s decision to unlock the $71 million in frozen KelpDAO exploit funds represents an unusual instance of on-chain governance being used to partially remediate a hack’s downstream effects on protocol liquidity.
FAQ
How much crypto has North Korea stolen in 2026?
According to TRM Labs, North Korean hackers stole $577 million in 2026 through April — representing 76% of all crypto hack losses globally during that period. The theft came from just two attacks: Drift Protocol and KelpDAO.
Which hacking group is responsible for North Korea’s crypto thefts?
The Lazarus Group, along with affiliated units BlueNoroff and AppleJeus, is primarily responsible. These groups are sanctioned by the U.S. Treasury and are assessed by intelligence agencies to operate under the direction of North Korea’s Reconnaissance General Bureau.
Has any of the stolen crypto been recovered?
Very little. TRM Labs estimates less than 5% of North Korean-stolen crypto has been seized or frozen by authorities. The use of mixers, cross-chain bridges, and P2P exchanges in low-AML jurisdictions makes recovery extremely difficult once funds are moved.
*Sources: TRM Labs research report, The Block, Crypto.news, Yahoo Finance, Bitbo. Data accurate as of May 18, 2026.*
