
North Korean state-linked hackers have stolen over $6 billion in crypto since 2017. Their dominance just hit an unprecedented peak in 2026. That’s according to a report from TRM Labs.
Two exploits this year tell the story. Drift Protocol and Kelp DAO. Together they account for 76% of all global crypto hack losses. It’s the most concentrated and sophisticated campaign yet from Pyongyang-backed cybercriminals.
The attacks show a strategic shift. Fewer heists. Way more lucrative.
Hackers drained $285 million from Solana-based Drift Protocol in April. They took $292 million from Ethereum liquid staking project Kelp DAO the same month. These incidents represent just 3% of 2026’s hack count. But they’re nearly three-quarters of the total value stolen. TRM Labs tracked it all.
North Korea’s share of global crypto theft has climbed dramatically. TRM Labs watched the regime’s portion rise from under 10% in 2020-21 to 64% in 2025. Now it’s 76% in early 2026. That’s the highest sustained dominance on record.
The escalation underscores two things. North Korean cyber operations are getting sophisticated. DeFi infrastructure still has persistent vulnerabilities.
The Drift Protocol breach followed months of patient social engineering. Attackers held in-person meetings with employees. TRM Labs documented it.
They exploited Solana’s “durable nonce” feature to stage pre-signed transactions. Then they executed 31 rapid withdrawals over 12 minutes. Assets like USDC were drained before moving funds to Ethereum. The funds remain dormant there.
“TRM views this patience and on-the-ground infiltration as potentially unprecedented in North Korea’s crypto hacking history,” the report states.
The Kelp DAO attack took a different approach. It targeted infrastructure directly.
Hackers reportedly compromised two internal RPC nodes. Then they launched a denial-of-service attack on external nodes. This forced the bridge’s single verifier to rely on falsified data. The data claimed assets were burned on the source chain.
About 116,500 rsETH was illicitly minted and withdrawn from the Ethereum bridge. That’s $292 million. It exposed a critical single point of failure in bridge validation.
The Arbitrum Security Council froze approximately $75 million on its network after the Kelp DAO exploit. That prompted rapid laundering efforts.
Roughly $175 million in ETH was swapped to Bitcoin via THORChain. It’s a cross-chain protocol without KYC requirements. It can’t freeze funds. TRM Labs confirmed the route was also used to launder proceeds from the $1.4 billion Bybit heist in 2025.
TRM Labs analysts suggest North Korean hacking groups now employ artificial intelligence. They’re using it for reconnaissance and social engineering. It’s potentially sharpening attack precision.
The trend points to escalating systemic risk for DeFi platforms. Especially those with centralized validation points. Or insufficient security protocols around critical infrastructure components.
