North Korea’s Crypto Heists: How Two Attacks Stole the Majority of 2026 Loot
North Korean hackers have claimed a staggering 76 % of all crypto theft reported by TRM Labs up to April 2026, despite accounting for only 3 % of total attacks. Two meticulously planned assaults in April alone siphoned almost three‑quarters of the money stolen from digital wallets this year.
1. Drift Protocol – April 1
- Method: Infiltration and social engineering over months, unusual for North Korean actors.
- Exploit: Leveraged Solana’s pre‑signed transaction feature to move funds instantly.
- Impact: 31 withdrawals in ~12 minutes, draining USDC and JLP tokens.
- Post‑Theft Flow: Stolen assets were funneled to Ethereum and left idle for a period.
2. Kelp DAO – April 18
- Method: Compromise of two internal nodes, followed by a denial‑of‑service on external ones.
- Exploit: Forced the bridge’s verifier to accept false burn data, tricking it into releasing tokens.
- Impact: 116,500 rsETH (≈ $292 million) drained from a cross‑chain bridge.
These two incidents represent the largest single‑year haul in crypto history, eclipsing even the 2025 Bybit breach of over $1.4 billion.
Post‑Theft Clean‑Up
- Arbitrum Security Council: Frozen ~$75 million of the remaining stolen funds.
- Money‑Laundering Response: Roughly $175 million in ETH was swapped to Bitcoin via THORChain, a cross‑chain protocol that bypasses identity checks.
- Historical Context: THORChain has handled the proceeds from both the 2025 Bybit breach and the 2026 Kelp DAO hack, converting large ETH sums into Bitcoin with minimal oversight.
Trend Analysis
| Year | North Korean Share of Total Crypto Theft |
|---|---|
| 2020–21 | < 10 % |
| 2022 | 22 % |
| 2023 | 37 % |
| 2024 | 39 % |
| 2025 | 64 % |
| 2026 (up to April) | 76 % |
Since 2017, North Korean‑linked actors have amassed over $6 billion in crypto theft. Their share of the global total has risen steadily, reaching an unprecedented 76 % in early 2026.
Expert Assessment
North Korean hackers are reportedly adopting artificial‑intelligence tools to refine social engineering and attack planning. The precision seen in the Drift Protocol breach—weeks of targeted manipulation of complex blockchain mechanisms—signals a shift toward high‑precision, low‑frequency operations designed to evade detection.
