State-backed North Korean hacking groups stole $643 million in cryptocurrency during the first half of 2026, representing 66% of all digital asset theft this year. The losses fund Pyongyang’s nuclear weapons program, with the total market haul reaching $972 million across a record 207 incidents.

Two attacks in April accounted for $577 million of the total. On April 1, the Drift Protocol lost roughly $285 million in twelve minutes after attackers compromised protocol signers in a social engineering operation. Seventeen days later, KelpDAO suffered a $292 million loss through a LayerZero bridge exploit, an attack attributed to the Lazarus subgroup TraderTraitor.

The $972 million in total losses represents a decline from the $2.3 billion stolen in the same period of 2025, but the 207 incidents set a record. Attackers are shifting strategy toward targeted infrastructure strikes on DeFi protocols and cross-chain bridges. Stolen funds remain largely unrecovered as operators use mixers and bridging services to launder assets.

North Korean state-backed groups have accumulated over $6 billion in crypto thefts since 2017. The Lazarus Group has evolved from crude exchange hacks into an operation deploying custom malware, supply chain compromises, and deep protocol architecture knowledge.

For investors, the concentration of losses exposes critical weaknesses in signer security and bridge infrastructure. Anyone committing significant capital to decentralized platforms should demand clarity on multisig configurations, operational security practices, and recent audits that model state-sponsored threats.