- North Korean Hackers stole 76% of all cryptocurrency taken in 2026 hacks through two major April attacks, totaling $577 million.
- The breaches used distinct methods: a months-long social engineering campaign against Drift Protocol and a single-point verification exploit on the Kelp DAO blockchain bridge.
- TRM Labs estimates North Korean operatives have stolen over $6 billion in crypto since 2017, with their share of annual losses rising dramatically.
- The stolen funds from the Kelp DAO attack were rapidly laundered, with $175 million in ETH swapped to Bitcoin mostly via the non-KYC protocol THORChain.
- Analysts note the sophistication of the attacks, suggesting North Korean groups may be incorporating AI tools into their reconnaissance workflows.
North Korean state-linked hackers have seized a staggering 76% of all cryptocurrency stolen in cyberattacks so far in 2026, according to a new report from blockchain intelligence firm TRM Labs. This massive share stems from just two precisely executed heists in April that netted a combined $577 million from decentralized finance platforms. The figures underscore an accelerating concentration of theft by Pyongyang’s operatives, whose share of annual crypto hack losses has grown from under 10% in 2020 to this year’s record high.
The first attack, a $285 million breach of the Drift Protocol on April 1, was marked by exceptional patience. TRM Labs analysts described a campaign involving months of social engineering, including in-person meetings between North Korean proxies and employees. Attackers ultimately exploited a Solana feature called a durable nonce to execute 31 pre-signed withdrawals in roughly 12 minutes.
However, the second heist just weeks later used a completely different technical approach. On April 18, attackers stole $292 million from Kelp DAO by compromising internal nodes and exploiting a single-point verification flaw in its blockchain bridge. Consequently, the bridge’s verifier was tricked into releasing approximately 116,500 rsETH based on poisoned data.
Meanwhile, the Arbitrum Security Council exercised emergency powers to freeze about $75 million of the Kelp DAO funds left on its network. This rare intervention prompted a rapid laundering response, with roughly $175 million in stolen ETH swapped to Bitcoin. The vast majority of this conversion occurred through THORChain, a cross-chain liquidity protocol with no know-your-customer requirement.
TRM Labs notes that THORChain also processed most proceeds from the record-breaking 2025 Bybit breach, which saw over $1.4 billion stolen. All told, North Korean hackers have pilfered more than $6 billion worth of cryptocurrency since 2017. Analysts speculate these groups are now sharpening their tools, potentially incorporating AI into their reconnaissance and social engineering for increasingly precise attacks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
