North Korea Hackers Crossed $6B in Crypto Theft — 76% of 2026 Losses From Two Bridge Attacks: TRM

TRM Labs published its April 2026 hack accounting on April 30, and the headline number is the kind that resets industry assumptions: cumulative crypto theft attributable to North Korea-linked groups has crossed $6 billion since 2017, and Pyongyang now accounts for 76% of all 2026 hack losses through April — across just 3% of total incidents. Two April attacks did the work: a $292 million exploit of KelpDAO and a $285 million theft from Drift Protocol, totaling $577 million in a single month.

What actually happened — KelpDAO and Drift

The two attacks share a state-actor profile but used very different vectors. KelpDAO was hit through a single-verifier design in a LayerZero bridge: attackers compromised RPC infrastructure and manipulated cross-chain validation logic to mint or release funds against forged messages. The laundering phase was unusually fast, with stolen ETH cross-chain-swapped to BTC via THORChain and the Bitcoin layer handed off to Chinese intermediaries — a pattern TRM has been mapping for months. Drift Protocol, by contrast, was a social-engineering long-game: TRM analysts described months of in-person meetings between North Korean proxies and Drift employees, a tactic the firm called potentially unprecedented in DPRK's lengthy crypto-hacking campaign. The Drift exploit relied on operationally placed insiders rather than a code-level bug, which makes it a much harder class of attack to defend against with audits.

The trend line is what matters

North Korea's share of total annual crypto-hack losses has climbed in a near-straight line: under 10% in 2020 and 2021, 22% in 2022, 37% in 2023, 39% in 2024, 64% in 2025, and 76% through April 2026. The 2026 figure is the highest sustained share TRM has ever recorded. The mechanism for the climb is twofold: DPRK groups have invested in operational tradecraft (Lazarus, APT38, the broader cluster) at a level no other state or criminal group matches, and the rest of the industry has gotten meaningfully better at preventing run-of-the-mill exploits — meaning when a major theft does occur, the actor behind it is increasingly likely to be Pyongyang. The cumulative $6B figure includes Ronin ($625M, 2022), Atomic Wallet ($100M, 2023), DMM Bitcoin ($305M, 2024), Bybit ($1.46B, 2025), and now KelpDAO + Drift.

The defensive surface that has to change

Three concrete shifts are implied by this report. First, bridge architecture: single-verifier or low-quorum designs (LayerZero in some configurations, but also any unmonitored multi-sig) need to be retired in favor of zero-knowledge or higher-quorum proofs; KelpDAO is the seventh bridge-class incident in two years. Second, insider screening: the Drift in-person model means traditional KYC and remote-employee verification are no longer sufficient; protocols handling more than $100M in TVL should treat key technical hires the way intelligence agencies treat cleared roles, including in-person identity confirmation and anomaly monitoring. Third, laundering response: the Bitcoin/THORChain off-ramp window is now consistently 24–72 hours; on-chain investigators need pre-built deconfliction with mining pools, OFAC sanctions partners and exchange compliance teams to interdict at scale. The current state of all three is not adequate.

The historical climb in DPRK's share of crypto theft

The numbers tell a clean story when laid out year by year. 2020 and 2021: under 10% of total crypto-hack losses attributable to North Korea. 2022: 22%, the year of the Ronin bridge ($625M) and Harmony bridge ($100M) attacks. 2023: 37%, with multiple Atomic Wallet, CoinEx and Stake.com incidents. 2024: 39%, including the DMM Bitcoin theft ($305M). 2025: 64%, anchored by the Bybit hack ($1.46B), the largest single crypto theft on record. 2026 through April: 76%, on KelpDAO ($292M) and Drift Protocol ($285M).

What the curve does not capture is the operational asymmetry. The same TRM data set shows non-DPRK actors are responsible for roughly 97% of incidents but only 24% of dollar losses in 2026 — meaning ordinary attackers continue to ply low-yield DeFi exploits while a single state actor is responsible for nearly every catastrophic-scale event. The implication for defenders is structural: incident-response capability needs to be calibrated for state-grade adversaries, not for the long tail of opportunistic exploits. Most protocol security budgets are still calibrated for the latter; the gap is widening, and the market has not yet repriced.

What to Watch

Three indicators over the next 60 days. OFAC/Treasury action: a public sanctions update naming addresses or intermediaries from KelpDAO/Drift would signal U.S. willingness to escalate beyond past designations. Insurance repricing: DeFi protocol insurance premiums (Nexus Mutual, Sherlock) are the cleanest market signal; another 20–30% premium hike is the implied response. Bridge migrations: announcements from Ethereum L2s and Solana ecosystem teams to deprecate single-verifier bridges in favor of ZK or multi-prover designs. Watch trmlabs.com/insights and OFAC SDN updates for confirmation.

Daily Web3 × AI intel, straight to your inbox. Subscribe to BlockAI News.

How we report: This article cites primary sources, regulatory filings, and on-chain data where available. BlockAI News uses AI tools to assist with research and first-draft generation; every article is reviewed and edited by a human editor before publication. Read our full How We Report page, Editorial Policy, AI Use Policy, and Corrections Policy.