01.05.2026 13:38

North Korean cyber‑crime groups delivered the most severe blow to the cryptocurrency world in the first third of 2026, absconding with a staggering $577 million. The figure represents roughly 76 % of all thefts recorded worldwide during that period, according to a recent investigation by TRM Labs. The bulk of the loss stems from two high‑profile attacks in April: one against the DRIFT protocol, which cost victims $285 million, and another targeting KelpDAO, resulting in a $292 million haul. Although these two incidents account for only about 3 % of the total number of hacks reported this year, the sheer scale of the stolen assets is unprecedented.

The assault on DRIFT was carried out by a faction of North Korean hackers distinct from the Lazarus‑linked group known as TraderTraitor. For several months the perpetrators maintained covert communications with employees of the protocol, gathering insider knowledge that would later prove decisive. Beginning in mid‑March, they set up persistent nonce accounts on the Solana blockchain, silently preparing the groundwork for the breach. When DRIFT’s Security Council altered its signing threshold to a 2‑of‑5 model on April 1, the attackers instantly exploited the change, executing 31 pre‑signed transactions that emptied the vaults in just twelve minutes. The stolen crypto was swiftly bridged to Ethereum, where it was frozen pending further investigation. In the aftermath, both Upbit and Bithumb removed DRIFT from their listings, tightening liquidity and amplifying price volatility for the token and its futures contracts. Analysts note that the primary targets of the operation were cross‑chain bridges, multisignature wallets, and other inter‑protocol infrastructure, with suspicious flows later detected on THORChain and within Solana’s governance pathways.

The KelpDAO compromise involved a different tactic: the attackers leveraged the single‑validator architecture of the LayerZero bridge, executing an RPC (remote procedure call) hack to seize control. Once inside, they routed the illicit funds through THORChain, converting them into Bitcoin before moving the proceeds to Chinese intermediaries after the Arbitrum network froze the assets. This maneuver underscores a growing pattern in which North Korean actors exploit vulnerabilities in cross‑chain bridges and decentralized finance (DeFi) protocols to launder and relocate stolen capital.

North Korea’s share of global crypto thefts has surged dramatically over the past few years—once under 10 % in 2020‑2021, the nation’s illicit operations accounted for 64 % of all reported losses by the close of 2025, with cumulative damages now measured in billions of dollars. The recent attacks have reignited concerns about the security of emerging blockchain ecosystems, prompting calls for more robust multi‑signature safeguards, enhanced monitoring of bridge activity, and tighter coordination among exchanges to mitigate the fallout from such large‑scale breaches.