North Korea Stole 76 Percent of All 2026 Crypto Hack Losses With Just Two Attacks.

North Korean state-backed hackers stole $577 million across two attacks in April 2026, accounting for 76 percent of all cryptocurrency hack losses recorded so far this year, according to a report published by blockchain intelligence firm TRM Labs on April 29. The two incidents, the $292 million KelpDAO exploit and the $285 million Drift Protocol attack, pushed cumulative DPRK crypto theft since 2017 past $6 billion. The scale of concentration is new: North Korea has never previously dominated a full year’s hack losses by this margin with this few attacks.

Key Highlights

• North Korean hackers stole $577 million in April 2026 across two attacks, accounting for 76 percent of all 2026 crypto hack losses per TRM Labs
• The KelpDAO exploit on April 9 resulted in a $292 million loss through a vulnerability in the rsETH liquid restaking bridge
• The Drift Protocol attack on April 21 resulted in a $285 million loss through a compromised oracle manipulation technique
• Cumulative North Korean crypto theft since 2017 has now exceeded $6 billion
• DPRK stole $2.02 billion in 2025, a 51 percent increase year over year, and the 2026 pace is running notably ahead of that trajectory
• North Korean hackers achieved larger thefts with fewer attacks by embedding IT workers inside crypto firms and targeting executives directly
• A March 2026 supply chain attack bugged software used by thousands of US companies, per CNN

The Two April Attacks in Detail

The KelpDAO exploit on April 9 targeted the rsETH liquid restaking bridge, a mechanism that allows users to stake Ethereum and receive a liquid token representing their staked position while still having access to funds. TRM Labs attributed the attack to Lazarus Group, the North Korean state hacking unit responsible for the majority of DPRK crypto theft operations.

The attack exploited a vulnerability in the bridge’s cross-chain message verification process, allowing the attacker to mint rsETH tokens without providing the corresponding ETH collateral. The $292 million in affected funds included both user deposits and protocol-owned liquidity. The Ethereum Foundation’s continued security research investment did not cover this bridge-layer vulnerability, which sits above the base protocol level where Foundation funding focuses.

The Drift Protocol attack on April 21 used a different technique. Drift is a decentralized perpetuals exchange on Solana. The attack involved manipulating the price oracle Drift uses to calculate liquidation thresholds, artificially moving reported prices to trigger mass liquidations that the attacker simultaneously positioned to profit from. The oracle manipulation drained $285 million from the protocol across a 40-minute window before the Drift team suspended trading.

Why 76 Percent From Two Attacks

The concentration of 76 percent of all 2026 crypto hack losses in two attacks is unprecedented in the data TRM Labs has tracked. Previous years showed North Korea responsible for a large but distributed share across many smaller attacks. The shift to fewer, larger attacks reflects a strategic change in DPRK hacking operations.

TRM Labs analysts describe the evolution as deliberate targeting of higher-value protocols rather than opportunistic scanning for vulnerabilities. Lazarus Group has moved toward embedding IT workers inside crypto companies under false identities, then using insider access to identify high-value attack vectors. Both the KelpDAO and Drift attacks show characteristics consistent with insider knowledge of the protocols’ architecture rather than external vulnerability scanning.

The March 2026 supply chain attack CNN reported on supports this pattern. North Korean hackers bugged a software package used by thousands of US companies, suggesting the DPRK has the operational patience to establish long-term access before executing high-value extractions. That patience makes traditional perimeter security insufficient as a defense.

Cumulative Theft Since 2017 and What It Funds

The $6 billion in cumulative North Korean crypto theft since 2017 is not incidental. Multiple US government reports, including assessments from the Office of Foreign Assets Control and the FBI, have documented that DPRK uses stolen crypto to fund weapons development programs, circumventing international sanctions that restrict conventional banking access.

North Korea has been under comprehensive economic sanctions since 2006, with significant tightening after nuclear tests in 2017. The crypto theft program represents one of the few reliable hard currency revenue sources available to the Kim Jong Un regime. The $577 million stolen in April alone is estimated to exceed North Korea’s total annual export revenue through conventional trade channels.

That funding context explains why North Korea invests heavily in the operational capabilities needed for sophisticated crypto attacks. The return on investment is significant relative to the country’s economic constraints, and the technical barriers to attribution create enough deniability to limit diplomatic consequences.

How the Attacks Are Getting Harder to Stop

Traditional DeFi security frameworks assume attackers are external and unknown. The North Korean model increasingly assumes attackers are internal and patient. That inversion makes existing audit and monitoring practices insufficient because they are designed to catch vulnerabilities exploitable from the outside, not insider-assisted attacks timed for maximum extraction.

The KelpDAO attack exploited a bridge vulnerability that was not flagged in the protocol’s most recent audit completed three months prior. Audits are point-in-time assessments. Bridge code that passes an audit in January can develop vulnerabilities through subsequent upgrades that introduce new logic paths. The macro environment of higher for longer rates compresses DeFi protocols’ revenue margins, which in turn constrains security spending at exactly the moment DPRK is escalating its targeting.

The Drift oracle manipulation attack required the attacker to anticipate the protocol’s automated liquidation response to price moves and position accordingly. That level of precision suggests either extensive prior testing or insider knowledge of the liquidation engine’s parameters. Drift has not publicly confirmed which vector enabled the attack.

Industry Response and What Needs to Change

Following the April attacks, several major DeFi protocols announced enhanced oracle validation requirements and bridge security freezes pending third-party review. Aave’s governance voted to pause rsETH as collateral until a full cross-chain bridge audit is completed. Solana ecosystem security firm Sec3 announced an accelerated review of all oracle-dependent protocols on the network.

TRM Labs recommended three changes in its April 29 report: mandatory employee identity verification using government-backed systems for all engineering roles at DeFi protocols, multi-oracle price validation with time-weighted averages to prevent single-point oracle manipulation, and real-time on-chain anomaly monitoring with automatic pause functionality for protocols handling more than $100 million in user funds.

As institutional adoption of blockchain infrastructure grows, the attack surface for state-sponsored hackers expands proportionally. Visa, Broadridge, and other traditional financial institutions entering the blockchain space bring both legitimacy and new vulnerabilities into an ecosystem that has historically operated with lower identity verification standards than traditional finance requires.

The Broader 2026 Security Picture

Total 2026 crypto hack losses through April 30 are approximately $760 million, of which $577 million is DPRK-attributed. The remaining $183 million represents losses from non-state attacks including rug pulls, protocol exploits, and bridge failures without confirmed attribution.

Chainalysis reported in its 2026 mid-year assessment that total 2025 crypto theft reached $3.4 billion across all categories. The 2026 pace, if sustained at the April run rate, would substantially exceed that figure. However, attack frequency is lumpy. A quiet May and June would notably change the full-year projection.

What does not change regardless of quarterly fluctuations is the structural reality that North Korea has built a professional, state-funded hacking operation targeting crypto assets as a primary revenue source. The institutionalization of tokenized assets creates new targets with larger balances and, in some cases, legacy security assumptions that do not map to the DPRK threat model.

The TCB View

The 76 percent concentration figure is the most important number in this report, and not because it is alarming in isolation. It is alarming because of what it implies about the trajectory. North Korea has not become more sophisticated by accident. DPRK has systematically invested in crypto targeting capability over eight years because the returns justify it. Two attacks in one month netting $577 million from a sanctioned country with no viable conventional revenue is an extraordinary return on operational investment. The DeFi industry’s response has been adequate for the previous generation of external attackers. It is not adequate for state-sponsored insider operations. The protocols that survive the next generation of DPRK attacks will be those that treat employee identity verification, multi-layer oracle validation, and automated circuit breakers as security requirements rather than operational overhead. While macro conditions dominate short term price action, the security infrastructure of the DeFi ecosystem will determine whether institutional capital has a safe home in blockchain networks over the longer term. That is a question of survival, not just performance.