North Korea-linked hacks account for 76% of 2026 crypto losses

TRM Labs reported that actors linked to North Korea extracted roughly $577 million in cryptocurrency through April 2026, equal to about 76% of global crypto hack losses in that period. Two April incidents — a $292 million exploit of KelpDAO and a $280 million attack on Drift Protocol — accounted for the bulk of those losses.

In its report, TRM attributed the KelpDAO breach to an operation known as TraderTraitor. The firm reported that attackers exploited a single-verifier design in a LayerZero bridge by compromising RPC infrastructure and manipulating cross-chain validation. The attackers forced verification to fail over to compromised nodes and drained about 116,500 rsETH. After partial freezes were applied on Arbitrum, the funds moved through cross-chain infrastructure including THORChain, with subsequent swaps into Bitcoin handled mainly by intermediaries in China, the report notes.

TRM’s analysis traced the Drift attack to a separate North Korea-linked subgroup. Investigators documented months of in-person meetings between North Korean proxies and Drift personnel and preparatory activity beginning as early as March 11. The attackers established durable nonce accounts on Solana and induced members of Drift’s Security Council multisig to pre-authorize transactions. Days after the protocol migrated to a new 2-of-5 multisig configuration with no timelock, the intruders executed 31 pre-signed withdrawals on April 1 in a concentrated run lasting roughly 12 minutes. Those assets were bridged to Ethereum and have remained largely inactive since.

The report shows a rising share of global crypto theft attributed to North Korea-linked groups. TRM’s timeline places that share below 10% in 2020–21, then at 22% in 2022, 37% in 2023, 39% in 2024 and 64% in 2025. Cumulative attributed theft since 2017 exceeds $6 billion. TRM identified a $1.46 billion breach of the Bybit exchange in 2025 as a turning point after which elite groups focused on fewer, higher-value attacks against bridges, multisignature governance setups and cross-chain validation systems.

The report describes different laundering patterns across the two groups. One group tied to the Drift incident bridged funds to Ethereum and left them largely dormant, a pattern the analysis says may indicate plans for staged cashouts over months or years. The TraderTraitor-linked actors associated with KelpDAO moved funds more rapidly through cross-chain swaps into Bitcoin, relying on third-party intermediaries for parts of the laundering process.

TRM outlined several monitoring and compliance priorities for industry participants, including tracking THORChain-linked flows from compromised bridge environments, implementing multi-hop tracing across bridge infrastructure, and screening Solana governance deposit paths that use durable nonce transactions. The firm also cited Beacon Network participation across exchanges and decentralized finance protocols as a way to accelerate cross-platform alerts once addresses tied to North Korea-linked operations are identified.

Attribution for the Drift subgroup remains under investigation, and technical forensics in the report detail the methods used in both April attacks and the subsequent cross-chain movement of funds.