North Korean Hackers Have Stolen $6 Billion in Crypto—Including 76% of 2026's Spoils: TRM

North Korean hackers person stolen astir three-quarters of each cryptocurrency taken by cybercriminals truthful acold this year—not done a relentless run of attacks, but done 2 precisely executed heists targeting decentralized concern platforms successful April, according to a caller study from blockchain quality steadfast TRM Labs.

The 2 incidents—a $285 cardinal breach of Drift Protocol connected April 1 and a $292 cardinal exploit of Kelp DAO connected April 18—together relationship for 76% of each crypto hack losses tracked done April, contempt representing conscionable 3% of the full fig of incidents recorded.

All told, TRM Labs estimates that North Korean-linked hackers person swiped implicit $6 cardinal from crypto protocols and projects since 2017, including immoderate of the industry’s worst-ever heists.

The figures bespeak an accelerating attraction of cryptocurrency theft by state-linked North Korean operatives. Pyongyang's stock of full crypto hack losses has grown from nether 10% successful 2020 and 2021 to 22% successful 2022, 37% successful 2023, 39% successful 2024, and 64% successful 2025. The 2026 fig of 76% done April is the highest sustained stock connected record.

The Drift Protocol onslaught was singular for its patience. On-chain staging began March 11, and the run progressive in-person meetings betwixt North Korean proxies and Drift employees over a play of months—a maneuver TRM analysts described arsenic perchance unprecedented successful North Korea's lengthy crypto hacking campaign.

The attackers exploited a Solana diagnostic called a durable nonce, which allows pre-signed transactions to beryllium held and deployed astatine a aboriginal time. On April 1, 31 withdrawals executed successful astir 12 minutes, draining existent assets including USDC and JLP. The stolen funds were rapidly moved to Ethereum and person sat dormant since.

The Kelp DAO onslaught took a antithetic route. The attackers compromised 2 interior RPC nodes and past launched a denial-of-service onslaught against outer nodes, forcing the bridge's azygous verifier to trust connected the poisoned information sources. Those nodes falsely reported that the underlying plus had been burned connected the root concatenation erstwhile nary specified enactment had occurred, and astir 116,500 rsETH—worth astir $292 million—was drained from the Ethereum span contract.

After the Kelp DAO theft, the Arbitrum Security Council exercised exigency powers to freeze astir $75 million of the stolen funds that had been near connected the network—a uncommon involution that prompted a accelerated laundering response. Approximately $175 cardinal successful ETH was past swapped to Bitcoin, mostly done THORChain, a cross-chain liquidity protocol with nary know-your-customer requirement.

THORChain processed the immense bulk of proceeds from some the Bybit breach successful 2025—the industry’s worst-ever theft, with implicit $1.4 cardinal successful crypto stolen—and the Kelp DAO hack successful 2026, converting hundreds of millions successful stolen ETH to Bitcoin with nary relation consenting to frost oregon cull transfers.

TRM analysts noted that the radical appears to beryllium sharpening its tools: Analysts person begun to speculate that North Korean operators are incorporating AI tools into their reconnaissance and societal engineering workflows, a improvement accordant with the expanding precision of attacks similar Drift, which required weeks of targeted manipulation of analyzable blockchain mechanisms.