North Korean Hackers Stole 76% of All Crypto Lost to Hacks in 2026

North Korean hackers have stolen nearly three-quarters of all cryptocurrency taken by cybercriminals globally so far this year, according to a new report from blockchain intelligence firm TRM Labs.

The two incidents-a $285 million breach of Drift Protocol on April 1 and a $292 million exploit of Kelp DAO on April 18-together account for 76% of all crypto hack losses tracked through April, despite representing just 3% of the total number of incidents recorded.

All told, TRM Labs estimates that North Korean-linked hackers have swiped over $6 billion from crypto protocols and projects since 2017.

Pyongyang's share of total crypto hack losses has grown from under 10% in 2020 to 76% in 2026 through April-the highest sustained share on record.

The Drift Protocol attack involved months of in-person meetings between North Korean proxies and Drift employees. The attackers exploited a Solana feature called a durable nonce, draining $285 million in about 12 minutes.

The Kelp DAO attack compromised internal RPC nodes and launched a denial-of-service attack, forcing a bridge's single verifier to rely on poisoned data. Approximately $292 million was drained from the Ethereum bridge contract.

The stolen funds were converted to Bitcoin primarily through THORChain, a cross-chain liquidity protocol with no know-your-customer requirement.