North Korean hackers linked to $6B crypto thefts; 76% of 2026

Blockchain intelligence firm TRM Labs reports that North Korean-linked hackers have taken more than $6 billion in cryptocurrency since 2017. Two April incidents-the $285 million Drift Protocol breach on April 1 and a $292 million exploit of Kelp DAO on April 18-accounted for 76% of tracked crypto hack losses in 2026 through April.

TRM’s analysis shows those two attacks represented about 3% of recorded incidents but a large share of value. The firm’s data trace a rising share of crypto thefts linked to North Korea: under 10% in 2020–21, 22% in 2022, 37% in 2023, 39% in 2024 and 64% in 2025, reaching 76% in 2026 so far.

The Drift Protocol breach involved months of on-chain preparation and targeted interactions beginning March 11, according to TRM. Attackers used a Solana feature called a durable nonce, which allows pre-signed transactions to be stored and executed later. On April 1, 31 withdrawals executed in about 12 minutes, removing assets including USDC and JLP. TRM’s blockchain tracing shows the funds were moved to Ethereum and have not been further transferred.

The Kelp DAO exploit began with compromises of two internal RPC nodes and a denial-of-service attack on external nodes, TRM reports. Those failures led the bridge’s single verifier to accept false data indicating the source-chain asset had been burned when it had not. About 116,500 rsETH, valued at roughly $292 million, was withdrawn from the Ethereum bridge contract. The Arbitrum Security Council froze about $75 million of the stolen funds that remained on its network.

A coordinated relief effort promoted by Aave founder Stani Kulechov, operating as DeFi United, raised 132,650 ETH-roughly $303 million at recent prices-to help cover Kelp DAO losses. TRM’s analysis shows many of the stolen ETH were converted into Bitcoin, primarily through THORChain, a cross-chain protocol that does not require know-your-customer checks. TRM notes THORChain handled the majority of proceeds from both the 2025 Bybit breach and the Kelp DAO theft.

TRM’s report catalogs methods used in the April attacks, including prolonged social engineering, manipulation of on-chain transaction mechanisms and node-level compromises. The firm also reports that analysts have speculated North Korean operators may be incorporating artificial intelligence tools into reconnaissance and social engineering workflows.

Since 2017, TRM attributes more than $6 billion in crypto losses to entities it links to North Korea and documents a trend of large, targeted breaches concentrating a growing share of annual crypto hack value.