State-sponsored hackers from North Korea are increasingly sophisticated, with precision tactics that have led to more than 76% or nearly $600 million in cryptocurrency losses this year. The Drift Protocol incident is a prime example of their evolving strategy, involving months-long in-person social engineering operations as described by TRMLabs. This included face-to-face interactions between North Korean proxies and Drift employees.
Ari Redbord, Global Head of Policy and Government Affairs at TRMLabs, shared with CoinDesk that this level of direct engagement is unprecedented in the realm of North Korea’s crypto hacking campaigns: “North Korean proxies sitting across a table from protocol employees over months. That, to my knowledge, is unprecedented in their operations,” he noted. Redbord highlighted that these attacks are evolving beyond mere remote keyboard activities.
In TRMLabs’ latest report, released Thursday, it was revealed that North Korea’s main hacking groups, DPRK and Lazarus, were responsible for 76% of all crypto losses from hacks and exploits in 2026. “We’re witnessing a campaign that is not broader but sharper,” said Redbord. He emphasized that North Korea is moving more quickly and accurately than ever before.
Since 2017, TRMLabs reports that North Korea’s cumulative cryptocurrency theft attributed to their activities exceeds $6 billion. The report also notes similarities in the methods used by these groups, such as a recent Wasabi Protocol exploit where attackers utilized a compromised deployer key without a timelock or multisig, resulting in a $4.5 million loss.
Additionally, a $292 million breach at KelpDAO was executed by exploiting a known flaw that LayerZero had warned against. This method differed significantly from the Drift incident. After stealing from Drift, hackers converted their gains to USDC, bridged them to Ethereum, and swapped into ETH without moving them since the theft, aligning with DPRK’s typical long-term cashout strategy.
In contrast, Lazarus immediately laundered KelpDAO proceeds through THORChain and Umbra, primarily facilitated by Chinese intermediaries employing a well-known TraderTraitor method. This breach led to DeFi’s largest wipeouts, causing $13 billion to exit several lending platforms within 48 hours, including Aave, which lost $8.54 billion in deposits, resulting in a near $200 million bad-debt crisis. Industry efforts are now underway to mitigate this issue, with $300 million pledged to alleviate the financial strain.