North Korean hackers have stolen nearly three-quarters of all cryptocurrency taken by cybercriminals so far in 2026 through two precisely executed attacks on decentralized finance platforms in April, according to blockchain intelligence firm TRM Labs. The two incidents—a $285 million breach of Drift Protocol on April 1 and a $292 million exploit of Kelp DAO on April 18—together account for 76% of all crypto hack losses tracked through April. All told, TRM Labs estimates that North Korean-linked hackers have stolen over $6 billion from crypto protocols and projects since 2017.
Attack Methodology and Precision
The Drift Protocol attack was notable for its extended social engineering campaign. On-chain staging began March 11, and the campaign involved in-person meetings between North Korean proxies and Drift employees over a period of months. The attackers exploited a Solana feature called a durable nonce, which allows pre-signed transactions to be held and deployed at a later time. On April 1, 31 withdrawals executed in approximately 12 minutes, draining real assets including USDC and JLP. The stolen funds were quickly moved to Ethereum and have remained dormant since.
The Kelp DAO attack took a different technical route. The attackers compromised two internal RPC nodes and then launched a denial-of-service attack against external nodes, forcing the bridge’s single verifier to rely on the poisoned data sources. Those nodes falsely reported that the underlying asset had been burned on the source chain when no such action had occurred, and approximately 116,500 rsETH—worth roughly $292 million—was drained from the Ethereum bridge contract.
Historical Escalation of North Korean Crypto Theft
The figures reflect an accelerating concentration of cryptocurrency theft by state-linked North Korean operatives. Pyongyang’s share of total crypto hack losses has grown from under 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The 2026 figure of 76% through April is the highest sustained share on record, despite the two incidents representing just 3% of the total number of incidents recorded.
Fund Movement and Laundering
After the Kelp DAO theft, the Arbitrum Security Council exercised emergency powers to freeze roughly $75 million of the stolen funds that had been left on the network—a rare intervention that prompted a rapid laundering response. Approximately $175 million in ETH was then swapped to Bitcoin, mostly through THORChain, a cross-chain liquidity protocol with no know-your-customer requirement.
THORChain processed the vast majority of proceeds from both the Bybit breach in 2025—the industry’s worst-ever theft, with over $1.4 billion in crypto stolen—and the Kelp DAO hack in 2026, converting hundreds of millions in stolen ETH to Bitcoin with no operator willing to freeze or reject transfers.
Evolving Attack Sophistication
TRM analysts noted that the group appears to be sharpening its tools. Analysts have begun to speculate that North Korean operators are incorporating AI tools into their reconnaissance and social engineering workflows, a development consistent with the increasing precision of attacks like Drift, which required weeks of targeted manipulation of complex blockchain mechanisms.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
