Blockchain intelligence firm TRM Laboratories It reported that groups affiliated with North Korea accounted for a significant share of cryptocurrency thefts in early 2026. By the end of April, these operations accounted for approximately 76 percent of all documented hack-related losses, generating approximately $577 million in revenue from a few meticulously planned events alone. TRM Laboratories He pointed out that the model stands out in terms of effect, not volume.
Two violations: Abuse on April 1 Drift Protocol and the April 18 attack KelpDAO‘s bridge – accounted for just 3 percent of the year’s total hacks, but provided the lion’s share of the stolen value.
This reflects North Korea’s long-standing playbook: fewer, higher-value targets rather than frequent low-level raids.
Global shares crypto- Theft rates have increased steadily; While it was below 10 percent in 2020 and 2021, it rose to 22 percent in 2022, 37 percent in 2023, 39 percent in 2024 and 64 percent in 2025, and then reached 76 percent, the first peak of this year.
The Drift Protocol incident generated approximately $285 million in revenue from the leading Solana-based decentralized perpetual asset exchange.
Preparation took months and included an unusual element: face-to-face meetings between North Korean proxies and platform insiders.
On-chain activity began with a small withdrawal from a privacy jammer in mid-March, followed by the creation of durable one-time accounts.
The attackers persuaded the members security will pre-sign transactions using this Solana feature, which ensures that approvals remain valid indefinitely.
They also introduced a fictitious collateral token through fake trading to manipulate prophecies.
On the day of the heist, 31 withdrawals were completed in approximately 12 minutes, with most assets quickly transferred to and then converted to Ethereum. ETH.
Consistent with a deliberate, extended liquidation strategy employed by one of the subgroups in question, these funds have remained untouched since then.
KelpDAO in two weeks chewing He raised approximately $292 million by targeting the rsETH LayerZero bridge on Ethereum.
Hackers first infiltrated internal RPC nodes and modified their software to provide fake blockchain data.
A distributed denial-of-service attack then overwhelmed legitimate external nodes, forcing the single validator to trust poisoned resources.
The system, which required only one validator for confirmation, approved a fake burn message, allowing a massive drain of approximately 116,500 rsETH tokens.
The initial funding for the attack relied on wallets linked to a previously accused wallet dating back years. Chinese broker and another new TraderTraitor operation.
Following the theft, approximately $75 million worth of ETH was frozen on Arbitrum by emergency action from the security council, but the remainder was routed through THORChain, the same service used extensively in North Korea’s record 2025 Bybit heist, to convert the stolen ETH into cash. Bitcoin.
Contrasting post-theft paths reveal operational flexibility. One group favors rapid transformation followed by prolonged dormancy; the other demonstrates resilience by rotating the infrastructure after partial freezes.
THORChain has emerged as a preferred channel in many major areas north korea processing hundreds of millions of people without operator intervention.
Cumulatively, Pyongyang-linked actors have collected more than $6 billion from attributed crypto thefts since 2017.
Analysts suggests that increased sensitivity could go beyond traditional private key compromises and include AI-assisted reconnaissance and social engineering.
Industry responses include expanded use of multi-validator bridge designs and collaborative monitoring platforms that issue real-time alerts across exchanges. DeFi protocols when suspicious funds are discovered.
TRM Laboratories it resulted as follows: research report As decentralized finance continues to grow, these intense, highly sophisticated attacks underscore the industry’s vulnerability to state-sponsored adversaries who view major protocols as strategic targets rather than opportunistic beacons. Security Teams are now racing to close the gaps exposed by these latest operations.
