North Korea Accounts for 76% of Crypto Hack Losses in 2026 With Drift and KelpDAO Exploits

North Korean hacking groups were responsible for 76% of all crypto hack losses in 2026 through April, according to a report published by TRM Labs. The same incidents accounted for just 3% of total attacks. The firm attributes approximately $577 million in stolen funds to two cases: the Drift Protocol breach on April 1 and the KelpDAO exploit on April 18.

TRM said the two incidents represent only a small share of total attacks this year but account for the vast majority of losses. The report describes a pattern where a limited number of high-value operations drive most of the damage, rather than a broad increase in attack frequency.

North Korea’s total attributed crypto theft now exceeds $6 billion since 2017, based on TRM’s data.

North Korea's Share of Crypto Theft Has Climbed Every Year Since 2020

TRM's data shows North Korea's share of total crypto hack losses rising from under 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The 76% figure for 2026 year-to-date is the highest sustained share TRM has recorded.

The 2025 jump was driven almost entirely by the Bybit breach in February of that year, in which $1.46 billion was stolen from a cold wallet via a compromised Safe{Wallet} signing interface. TRM said Bybit remains the largest single crypto hack on record.

The attack cadence has not changed. TRM said North Korean hacking teams continue to run a small number of precisely targeted operations each year rather than a high-volume campaign.

According to TRM analysts, what has changed is the sophistication of the operations. The report said analysts have begun to speculate that North Korean operators are incorporating AI tools into reconnaissance and social engineering workflows, consistent with the Drift attack, which required weeks of targeted manipulation of complex blockchain mechanisms rather than the simple private key compromises North Korea has historically relied on.

Drift Protocol Hack Drained $285 Million After Months of Social Engineering

TRM attributed the Drift attack to a North Korean group it assesses as distinct from TraderTraitor, a state-linked North Korean threat actor known for targeting crypto firms through social engineering. The specific subgroup is still under investigation.

The campaign began months before the theft and involved in-person meetings between North Korean proxies and Drift employees, which TRM said may be unprecedented in North Korea's crypto hacking history. On-chain staging started March 11 with a 10 ETH withdrawal from Tornado Cash.

The attack exploited a Solana feature called a durable nonce, which extends the validity window of a pre-signed transaction from roughly 90 seconds to indefinitely. Between March 23 and March 30, the attacker induced Drift's Security Council multisig signers into pre-authorizing transactions using durable nonces. On March 27, Drift migrated its Security Council to a 2/5 threshold configuration with zero timelock, which the attacker later exploited.

In parallel, the attacker manufactured a token called CarbonVote Token (CVT), seeded it with liquidity, and inflated the price through wash trading. Drift's oracles treated CVT as legitimate collateral.

On April 1, the pre-signed transactions were broadcast. TRM said 31 withdrawals executed in approximately 12 minutes, draining USDC, JLP (the Jupiter liquidity provider token), and other assets. Most of the funds were bridged to Ethereum within hours and have not moved since.

KelpDAO Lost $292 Million Through a Single-Verifier LayerZero Flaw

The KelpDAO breach on April 18 targeted the project's rsETH LayerZero bridge on Ethereum. rsETH is KelpDAO's liquid restaking token, which represents ETH restaked across multiple protocols.

According to TRM, the attackers compromised two internal RPC nodes and swapped out the node software to cause them to report false blockchain data. They then launched a DDoS attack against external uncompromised RPC nodes, forcing the bridge's verifier to fail over to the two poisoned internal nodes.

The poisoned nodes falsely reported that rsETH had been burned on the source chain, even though no burn had occurred. The single verifier confirmed the fraudulent cross-chain message as legitimate, and the attacker drained approximately 116,500 rsETH worth around $292 million from the bridge contract.

TRM said the single-DVN (Decentralized Verifier Network) configuration is the defining vulnerability. LayerZero supports configuring multiple independent verifiers for cross-chain validation, but KelpDAO's rsETH deployment used only the LayerZero Labs DVN. With no second verifier required to agree, one poisoned data source was enough.

TRM attributed the exploit to North Korea based on on-chain analysis of both the pre-funding and the laundering. Part of the initial funding traced back to a 2018 Bitcoin wallet controlled by Wu Huihui, a Chinese crypto broker indicted in 2023 for laundering thefts by Lazarus Group, the North Korean state-linked hacking unit behind some of the largest crypto exploits on record. Other funds were sourced from the BTCTurk hack, another recent TraderTraitor theft.

Drift and KelpDAO Hacks Reveal Different Crypto Laundering Strategies

Drift and KelpDAO demonstrate distinct laundering approaches shaped by different operational conditions.

For Drift, the stolen tokens were converted to USDC via Jupiter, bridged to Ethereum, swapped into ETH, and distributed across fresh wallets. The funds have not moved since the day of the theft. The responsible group follows a documented North Korean pattern of holding proceeds for months or years before executing a structured cashout.

KelpDAO went the other way. The TraderTraitor hackers left approximately 30,766 ETH on Arbitrum, and the Arbitrum Security Council used emergency powers to freeze around $75 million of it. The freeze triggered a rapid laundering scramble.

Approximately $175 million in unfrozen ETH was swapped to Bitcoin, mostly through THORChain, a cross-chain liquidity protocol with no KYC requirement. Umbra, an Ethereum privacy tool, was used to obscure some wallet linkages before the conversion. TRM said the ongoing laundering phase is being handled almost entirely by Chinese intermediaries rather than the North Koreans themselves.

THORChain processed the majority of the proceeds from both the 2025 Bybit breach and the 2026 KelpDAO hack, converting hundreds of millions of stolen ETH into Bitcoin without operator intervention. In 2025, most stolen Bybit funds were converted from ETH to BTC via THORChain between February 24 and March 2. KelpDAO followed the same playbook in April 2026.

THORChain's developers and validators have said the protocol is decentralized with no central operator and that it cannot reject transactions. Recent statements on X by project members suggest this is not, or has not always been, the case.

What TRM Says Compliance Teams Should Monitor

The report listed four monitoring priorities for exchanges and DeFi protocols.

Exchanges receiving BTC inflows from THORChain pools should screen against known KelpDAO and Lazarus Group address clusters. Attribution for specific KelpDAO addresses is ongoing, and TRM recommended re-screening deposits after 30 days, as attribution for KelpDAO-linked addresses is still being finalized.

Protocols using Solana Security Council multisig with durable nonce authorization should treat the Drift incident as a template attack that will be replicated, since it targeted governance infrastructure rather than application logic.

First-hop address screening alone will not catch funds that passed through intermediary wallets before reaching an exchange. Both KelpDAO and Bybit involved bridge or cross-chain infrastructure, and TRM said multi-hop analysis is required.

TRM also pointed to its Beacon Network, which has more than 30 members, including Coinbase, Binance, Kraken, OKX, and Crypto.com, and auto-traces flagged attacker addresses in real time when North Korea-linked funds reach a participating institution.