According to blockchain intelligence firm TRM Labs, North Korean hacking groups have stolen approximately $577 million in cryptocurrency through April 2026 — representing 76% of all crypto hack losses this year — across just two attacks.
North Korea’s share of total crypto hack losses has grown steadily, from under 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025.
The 2026 figure of 76% is the highest sustained share on record.
The two attacks
The Drift Protocol breach on April 1 netted $285 million after three weeks of on-chain staging and months of social engineering, including in-person meetings between North Korean proxies and Drift employees — a tactic TRM describes as potentially unprecedented in North Korea’s hacking campaign.
The attackers exploited a Solana feature called a durable nonce, which allows pre-signed transactions to be held and broadcast at a later time, inducing Drift’s multisig signers to pre-authorize transactions weeks before the drain executed.
On April 1, 31 withdrawals executed in approximately 12 minutes, draining real assets including USDC and JLP.
The KelpDAO breach on April 18 netted $292 million by exploiting a single-verifier design flaw in a LayerZero bridge.
Attackers compromised two internal RPC nodes, then DDoS’d external nodes to force the bridge’s verifier to rely on poisoned data, approving a fraudulent cross-chain message.
Diverging laundering strategies
TRM notes the two attacks followed distinct laundering playbooks.
Drift proceeds were bridged to Ethereum and converted to ETH within hours, then went dormant — consistent with a pattern of holding funds for months or years before a structured cashout.
KelpDAO’s laundering was more reactive.
The Arbitrum Security Council froze roughly $75 million of the stolen funds, prompting hackers to rapidly move approximately $175 million in ETH through THORChain, converting it to bitcoin with no operator intervention.
TRM stated:
“THORChain processed the vast majority of proceeds from both the Bybit breach (2025) and the KelpDAO hack (2026), converting hundreds of millions in stolen ETH to Bitcoin with no operator willing to freeze or reject transfers — making it the consistent bridge of choice across North Korea’s largest heists.”
What TRM says compliance teams should watch
TRM flagged four monitoring priorities:
THORChain flows from KelpDAO-linked addresses, Solana multisig and governance contract exposure, multi-hop bridge deposit screening, and enrollment in TRM’s Beacon Network for real-time alerts.
TRM noted:
“TRM analysts have begun to speculate that North Korean operators are incorporating AI tools into their reconnaissance and social engineering workflows — a development consistent with the increasing precision of attacks like Drift.”
On the broader threat, TRM observed:
“The group is not attacking more frequently — it is targeting more precisely, focusing on high-value targets.”
