Cybercriminals linked to North Korea have stolen nearly three-quarters of all cryptocurrency losses this year, not through continuous assaults but via two meticulously executed heists on decentralized finance platforms in April, according to a recent report from blockchain intelligence firm TRM Labs.
These incidents—a $285 million breach of Drift Protocol on April 1 and a $292 million exploit of Kelp DAO on April 18—make up 76% of all crypto hack losses through April, despite accounting for just 3% of total recorded incidents.
Since 2017, TRM Labs estimates that North Korean-linked hackers have stolen over $6 billion from cryptocurrency protocols and projects, including some of the industry’s most significant heists. The data shows an increasing concentration of crypto theft by state-linked North Korean operatives: Pyongyang’s share of total crypto hack losses rose to 22% in 2022, 37% in 2023, 39% in 2024, and reached 64% in 2025. As of April, the figure for 2026 stands at 76%, marking the highest sustained share on record.
The Drift Protocol attack was notable for its calculated approach. On-chain preparations began on March 11, involving several months’ worth of in-person meetings between North Korean proxies and Drift employees—a tactic TRM analysts suggest may be unprecedented in North Korea’s extensive crypto hacking efforts.
The attackers utilized a Solana feature called a durable nonce, enabling pre-signed transactions to be stored and executed later. On April 1, they executed 31 withdrawals within approximately 12 minutes, draining real assets such as USDC and JLP, which were then swiftly transferred to Ethereum and have remained inactive since.
In contrast, the Kelp DAO attack involved compromising two internal RPC nodes and launching a denial-of-service attack against external ones. This forced the bridge’s sole verifier to rely on corrupted data sources, which falsely indicated that the underlying asset had been burned on the source chain when it hadn’t, leading to approximately 116,500 rsETH—worth about $292 million—being drained from the Ethereum bridge contract.
Following the Kelp DAO theft, the Arbitrum Security Council invoked emergency powers to freeze roughly $75 million of the stolen funds left within the network—a rare intervention that triggered a rapid laundering response. Subsequently, around $175 million in ETH was converted to Bitcoin, primarily through THORChain, a cross-chain liquidity protocol lacking know-your-customer requirements.
THORChain processed most of the proceeds from both the Bybit breach in 2025—the industry’s largest theft with over $1.4 billion stolen—and the Kelp DAO hack in 2026, converting hundreds of millions in stolen ETH to Bitcoin without any operator intervening to freeze or reject transfers.
TRM analysts suggest that the group is refining its tactics: There are indications that North Korean operatives may be integrating AI tools into their reconnaissance and social engineering processes, a trend aligned with the increasing precision of attacks like Drift, which involved weeks of targeted manipulation of complex blockchain mechanisms.