North Korea Stole 76 Percent of All Crypto Lost in 2026. Just Two Attacks Did It.

Key Highlights

• North Korean hackers stole $577 million across two April 2026 exploits, according to TRM Labs
• That figure represents 76% of all cryptocurrency stolen globally in 2026 so far
• The two attacks were the $292 million KelpDAO drain and the $285 million Drift Protocol hack
• Cumulative DPRK linked crypto theft since 2017 now exceeds $6 billion
• TRM Labs analysts believe AI is accelerating North Korea’s social engineering and reconnaissance capabilities

North Korea’s state sponsored hacking operation just posted its most productive quarter on record. In April 2026, two attacks attributed to DPRK linked threat actors drained $577 million from two major DeFi protocols. That figure represents 76% of every dollar of cryptocurrency stolen across all incidents globally in 2026. Two attacks. Three months of the year. More than half a billion dollars gone.

The numbers come from blockchain intelligence firm TRM Labs, which published its analysis of the first quarter crypto threat landscape on May 2. The report is striking not because of the total but because of the concentration. North Korea linked actors executed just 3% of all crypto incidents recorded in 2026 but were responsible for 76% of total losses. Two attacks changed the entire shape of the year’s security data.

The Two Attacks Behind the Number

The first was the $292 million KelpDAO exploit in mid April. KelpDAO, the liquid restaking protocol built on top of EigenLayer, was drained when attackers exploited a cross chain bridge verification flaw. The attack unfolded across multiple chains, with Arbitrum’s Network Security Council freezing approximately $71 million before the rest could be laundered. The remaining funds moved to Bitcoin via THORChain. The KelpDAO incident prompted a broad security review of cross chain bridge architecture and renewed calls for mandatory bridge audits before deployment.

The second was the $285 million Drift Protocol hack. The Drift attack is in many ways more alarming than KelpDAO, not because of the sum but because of the method. Hackers spent months building in person relationships with protocol signers before the drain, executing the full attack in approximately 12 minutes once access was established. The funds moved across chains to Ethereum almost immediately after the exploit but have been largely dormant since. The divergence in laundering approach between the two attacks: one pivoting to Bitcoin, the other sitting still on Ethereum, suggests either distinct operational teams or deliberate misdirection.

Three Percent of Incidents, 76 Percent of Losses

The concentration ratio in TRM Labs’ report deserves more attention than it has received. North Korean actors did not simply participate in the 2026 hack landscape. They dominated it while participating rarely. Most threat actors execute many small attacks and accept a mix of outcomes. The DPRK operation appears to work on a different model: deep investment in a small number of high value targets, with extended preparation timescales measured in weeks or months before execution.

That model explains why the Drift attack involved weeks of physical presence and social engineering before a 12-minute payout. It also explains the scale differential. Most protocol hacks in 2026 have fallen in the $1 million to $10 million range: the kind of targets that opportunistic attackers hit when they find an unpatched vulnerability. The DPRK operation targets protocols with eight and nine figure treasuries and works backward from the target to the method.

Cumulative Losses Cross $6 Billion Since 2017

TRM Labs’ report also notes that cumulative DPRK attributed crypto theft since 2017 has now crossed $6 billion. The direction of travel is not new. North Korean crypto theft has been documented since the 2017 exchange raids. But the scale has accelerated substantially. The operation took roughly four years to steal its first billion. It added $577 million in a single month.

The UN Panel of Experts and the US Treasury Department have both documented DPRK’s use of stolen crypto to fund the country’s ballistic missile and nuclear weapons programs, bypassing international sanctions that restrict access to foreign currency. The operation is not just financially motivated. It is structurally necessary to the regime’s military spending.

AI Is Sharpening the Toolkit

TRM Labs analysts flagged something else in their report: a belief that North Korea’s increasing use of artificial intelligence is contributing to its improved operational output. The specific mechanisms are not detailed publicly, but the hypothesis centers on AI assisted reconnaissance, which can process large amounts of publicly available information about protocol architectures and personnel, and AI assisted social engineering, which can generate convincing fake identities and maintain plausible correspondence at scale.

Both capabilities address longstanding bottlenecks in the DPRK operation. Building cover identities and maintaining them over weeks or months of in person contact is labor intensive. AI tools that can generate consistent background detail, maintain conversation tone, and flag inconsistencies in a cover story reduce the human effort required substantially. The Drift attack involved weeks of in person presence, suggesting physical operatives were deployed, but AI could have substantially reduced the preparation burden for those operatives. The weaponization of AI by state actors is precisely the capability concern that animated the Pentagon’s classified AI procurement in May 2026.

What the Industry Can Actually Do

The TRM Labs report is a diagnosis, not a prescription, but the data points to several interventions that could reduce exposure. The first is identity verification for contributors and signers. Both the Drift and KelpDAO attacks involved compromised access at the key management level. Protocols with multisig governance structures need to apply the same rigor to signer identity verification that financial institutions apply to employee background checks. Anonymous or pseudonymous signers holding keys to eight figure treasuries are a structural vulnerability.

The second is cross chain monitoring infrastructure. Both attacks involved rapid movement across multiple chains after the initial drain. Protocols and chains that share monitoring infrastructure and can coordinate emergency freezes, as Arbitrum demonstrated in the KelpDAO case, can recover a meaningful portion of stolen funds. Protocols that operate in isolation cannot. While institutional capital continues flowing into the asset class, the inability to demonstrate credible security infrastructure will become a more significant barrier to mainstream adoption.

The third is AI augmented threat detection. If North Korea is using AI to improve its attack preparation, the defense side of that equation requires the same upgrade. On chain anomaly detection systems that flag unusual governance activity, large cross chain transfers, and signer behavior changes in real time give incident responders a chance to intervene before the full drain completes. Twelve minutes is a short window. But it is a window.

The TCB View

Seventy six percent of all stolen crypto value attributed to one state actor in three months is not a security problem. It is a geopolitical problem wearing a security mask. The DPRK operation has graduated from opportunistic exchange raids to systematic, patient, high value targeting of DeFi protocols. The sophistication gap between how North Korea attacks and how the industry defends has been growing for years. As real world asset tokenization brings more capital on chain, that gap becomes more consequential. The Drift and KelpDAO attacks combined moved more money than most regulated financial crime incidents in 2026. The industry needs to start treating state sponsored threat actors as the primary adversary, not the exceptional case.