North Korean government-backed hackers are evolving. TRMLabs reports that North Korean-state-backed hackers now account for 76% of all crypto scam and hack losses in 2026, stealing nearly $600 million this year alone. Since 2017, they have stolen over $6 billion.
The $285 million Drift Protocol exploit involved an unprecedented in-person social engineering attack. North Korean proxies met with Drift employees face-to-face over several months before executing the theft.
"This is no longer just a remote keyboard operation," said Ari Redbord, Global Head of Policy and Government Affairs at TRMLabs. "North Korea is moving faster and more precisely than ever."
In the Drift case, hackers converted proceeds to USDC, bridged to Ethereum, swapped into ETH, and have not moved the funds since the theft-consistent with the DPRK's patient, multi-year cashout pattern.
Meanwhile, the $292 million KelpDAO breach used a different playbook. Hackers exploited a known single-verifier flaw that LayerZero had repeatedly warned against, then laundered funds through THORChain and Umbra using Chinese intermediaries.
The KelpDAO exploit triggered a $13 billion DeFi wipeout, with Aave losing $8.54 billion in deposits and facing a $200 million bad-debt crisis. Industry participants have pledged $300 million to help Aave recover.