Blockchain intelligence firm TRM Labs reports that North Korean state-backed hackers stole approximately $577 million in 2026 — 76% of all crypto hack losses — across just two attacks: the Drift Protocol and Kelp DAO exploits.
Blockchain intelligence firm TRM Labs has put a clean number on the suspicions every DeFi security team has been muttering about since mid-April: North Korean state-backed hackers extracted approximately $577 million from crypto protocols in the first four months of 2026, equal to 76 per cent of all global hack losses over the period. The entire haul came from two attacks.
Those two attacks are the $285 million Drift Protocol drain on April 1 and the $292 million Kelp DAO exploit on April 19. Both were laid in advance with the patience that distinguishes Lazarus from the rest of the threat landscape, and both targeted infrastructure rather than smart contracts — the two most expensive lessons DeFi has paid for in years.
The Drift incident is the more disturbing of the two on a tradecraft level. TRM's analysts confirmed what was previously rumoured among incident-response teams: the operation involved months of in-person social engineering, with North Korean proxies meeting Drift employees over what appears to have been a multi-week period of staged conversations and trust-building. By the time the actual drain happened, the attacker had pre-signed 31 withdrawal transactions and could execute them in sequence within roughly 12 minutes. Twelve minutes is the entire window in which a competent on-call engineer could have noticed and intervened. Nobody did.
The Kelp DAO operation took a different shape. Attackers compromised RPC infrastructure providing data to a single-verifier configuration in a LayerZero bridge, then forced verification to fail over to compromised nodes. The result was a cross-chain validation pipeline that signed off on transfers that had no business being signed off on. Roughly 116,500 rsETH was drained before the bridge could be paused. LayerZero's post-mortem, published the day after the attack, attributed the breach to Lazarus and pointed to the single-verifier setup as the root cause. Neither finding makes Kelp's choice of bridge configuration look better in hindsight.
The 76 per cent share is itself the headline TRM wanted everyone to read, but the trajectory matters more. North Korea's share of global crypto hack losses sat below 10 per cent in 2020 and 2021. It rose to 22 per cent in 2022, 37 per cent in 2023, hovered in the 50s through 2024 and 2025, and now stands at three-quarters. The total stolen by DPRK-linked groups since 2017 has crossed $6 billion. Most of that money has been recycled into the regime's weapons programme, a fact acknowledged in U.N. panel-of-experts reports for the past four years and no longer politely glossed over. The $1.4 billion Bybit drain in February 2025 — the largest single crypto theft in history, also attributed to Lazarus — sits in this same operational pattern. The group's most lucrative work is not a sideline; it is a state revenue line.
What's changed in 2026 is precision rather than volume. TRM is at pains to point out that North Korea is not running more attacks — only three of the year's hack incidents through April are attributed to the group, against a total of more than thirty distinct exploits. They are picking targets, investing months of preparation, and going home with the kind of nine-figure haul that smaller threat actors cannot dream of. The arithmetic of running a state-sponsored hacking operation has moved from spray-and-pray phishing campaigns to long-con infiltrations of well-funded protocols. The reason is brutally simple: the per-attack reward is now in the hundreds of millions, and the operational cost of a months-long social-engineering operation against a fifty-person DeFi team is trivially less than the proceeds.
The laundering paths are diverging in interesting ways. The Drift attackers, according to TRM's chain-analysis team, bridged the bulk of the stolen capital to Ethereum and have left it largely inactive. That pattern is consistent with what Chainalysis and Elliptic have documented across previous DPRK heists: a multi-month dormancy phase, then a structured cashout through coin mixers, OTC desks willing to ignore sanctions, and Chinese-language P2P marketplaces. The Kelp attackers are moving faster, swapping rsETH-derived assets through THORChain into bitcoin and then disappearing the proceeds through a more traditional Lazarus laundering pipeline. Both approaches have worked before. Both will probably work again.
What this report should do, but probably will not, is force a change in how DeFi protocols think about non-cryptographic security. The security model of the typical Solana or LayerZero-connected protocol holds up against on-chain adversaries — flashloan attacks, oracle manipulation, signature replays. It does not hold up against an attacker who spends three months befriending an engineer in a co-working space, or who pays a bribe to a regional ISP to MITM an RPC endpoint. Smart-contract audits do not catch those vectors. They never did.
The DeFi industry has spent the past month organising the $303 million DeFi United coalition to absorb Aave's exposure to the Kelp DAO bad debt and prevent a contagion event. That is a creditable response to the consequence of the attack. It does not address the cause. As long as the attackers are willing to invest more operational effort than the defenders, and the proceeds keep growing, North Korea's share of next year's number will not go down. Any honest read of TRM's report ends with that uncomfortable conclusion. The report ends there too.
