North Korea’s cyber operations have reached a new level of efficiency and scale. According to a report from blockchain intelligence firm TRM Labs, hackers linked to the North Korean state stole $577 million in cryptocurrency in 2026 through just two attacks – accounting for 76% of all global crypto hack losses through April.
The figure isn’t just large in absolute terms. it’s alarming in what it reveals about the concentration and sophistication of state-sponsored crypto theft. Two attacks. $577 million. Three-quarters of everything stolen across the entire crypto system in four months.
who’s Responsible
TRM Labs attributes the attacks to two distinct North Korean hacking groups: the Lazarus Group, which has been active since at least 2014, and a second organization sometimes referred to as DPRK Bureau 121. Both operate under the control of North Korea’s Reconnaissance General Bureau – the intelligence agency responsible for the country’s cyber warfare program.
These groups don’t operate like typical cybercriminals looking for quick ransomware paydays. they’re sophisticated, patient, and strategic. TRM Labs found that one of the 2026 attacks involved North Korean operatives spending months embedded in-person at a target organization before executing the theft – a level of operational planning more characteristic of traditional espionage than opportunistic hacking.
The specific target referenced was Drift, a decentralized exchange on Solana. CoinDesk reported that DPRK agents spent months cultivating insider access before draining $285 million from the protocol.
The Scale of the Threat
TRM Labs estimates North Korea-linked groups have now stolen more than $6 billion in cryptocurrency since 2017. That cumulative figure has been built through a series of high-profile attacks including the $620 million Ronin Network hack in 2022, multiple exchange compromises, and dozens of smaller protocol exploits.
For context, the UN Panel of Experts has assessed that much of this stolen cryptocurrency is used to fund North Korea’s weapons of mass destruction programs, including its ballistic missile development. What looks like a financial crime on the blockchain has direct national security implications.
The 2026 numbers suggest the pace is accelerating. At $577 million in just the first four months, the annualized run rate would put North Korea’s 2026 total well above its previous record years.
Two Attacks That Dominated the Stats
The fact that 76% of all 2026 crypto losses came from two attacks highlights an uncomfortable reality: the crypto system’s overall attack surface may be getting better defended through audits, bug bounties, and improved developer practices. But the most sophisticated actors are compensating by going bigger and going deeper.
Rather than running dozens of smaller exploits, North Korean groups appear to be conducting intensive reconnaissance, identifying the highest-value targets, and striking with precision. The Arbitrum DAO’s April vote to get $71 million in frozen KelpDAO exploit funds – referenced in recent CryptoGazette coverage – was itself a downstream consequence of one of these North Korean-linked attacks.
Industry Response
The crypto industry’s response to state-sponsored hacking has evolved significantly. Major protocols now maintain bug bounty programs with seven-figure payouts. On-chain analytics firms like TRM Labs, Chainalysis, and Elliptic provide real-time monitoring that can flag suspicious transactions within minutes of a theft.
Several major exchanges have set up transaction screening that can freeze funds as they arrive after a known hack. Tether recently froze $514 million in USDT across 370 wallets over a 30-day period, though not all of those freezes were specifically tied to North Korean actors.
Despite these tools, TRM Labs’ data shows the threat hasn’t diminished. If anything, the intelligence firm’s 2026 mid-year report paints a picture of increasingly sophisticated adversaries who are capable of blending long-con social engineering with technical blockchain exploits.
What This Means for the Industry
For DeFi protocols and centralized exchanges alike, the TRM Labs findings show a hard truth: the most dangerous threat actors aren’t script kiddies running known exploits. they’re professional intelligence operatives with ly unlimited time, resources, and patience.
The recommended countermeasures have evolved. Security researchers now advise:
- Multi-stage human verification for high-value operational access
- Behavioral monitoring for internal actors, not just external threats
- Graduated withdrawal limits that slow large outflows even for permissioned users
- Cross-protocol intelligence sharing to identify reconnaissance activity before attacks execute
For investors and users, the broader message is that smart contract security audits – while – aren’t sufficient. The vector is increasingly human rather than technical.
Frequently Asked Questions
Who are the Lazarus Group? The Lazarus Group is a North Korean state-sponsored cyber threat actor operating under the Reconnaissance General Bureau. they’re responsible for some of the largest cryptocurrency thefts in history, as well as previous attacks on global banking infrastructure (the 2016 Bangladesh Bank heist) and the WannaCry ransomware attack in 2017.
How much has North Korea stolen from crypto since 2017? TRM Labs estimates the cumulative total at over $6 billion since 2017, making North Korea one of the most prolific crypto theft operations in the world.
Can stolen crypto be recovered? Recovery is rare but not impossible. Stablecoins like USDT and USDC can be frozen by their issuers. Some blockchain analytics firms work with law enforcement to trace and potentially recover funds, but once crypto moves into mixing services or privacy coins, recovery becomes extremely difficult.
Sources: TRM Labs report (April 30, 2026), The Block, CoinDesk, crypto.news, CoinMarketCap, Reuters reporting on North Korean cyber operations.
