North Korean government-backed hackers are becoming more sophisticated, more precise, and now account for over 76% or nearly $600 million in crypto losses this year alone.
The $285 Drift Protocol exploit, for example, involved what TRMLabs describes as a lengthy, “unprecedented in-person social engineering” attack. It included months of in-person meetings between North Korean representatives and Drift employees.
“North Korean representatives sitting across a table with protocol employees over a period of months. This, as far as I know, is unprecedented in North Korea’s crypto hacking campaign,” Ari Redbord, global head of policy and government affairs at TRMLabs, told CoinDesk. “This is no longer just remote keyboard operation.”
Ari’s comments accompany TRMLabs’ new report released on Thursday, which highlights how North Korea’s two main hacking groups, DPRK and Lazarus, are responsible for 76% of all cryptocurrency losses from hacks and exploits in 2026.
“What we are observing is not a broader North Korean campaign, but a more acute one,” Redbord said in the report. “North Korea is moving faster and more precisely than ever before.”
“Cumulative cryptocurrency theft in North Korea now exceeds $6 billion in attributed incidents since 2017,” the TRM Labs report adds.
TRMLabs’ findings match a Wasabi Protocol exploit that uses a similar playbook to the April 19 Drift hack, where attackers used a compromised deployment key without timelocking or multisignature to drain $4.5 million.
The $292 million KelpDAO breach exploited a known single-verifier flaw that LayerZero had repeatedly warned against.
The manual was very different from the Drift exploit, according to TRMLabs. The hackers converted the Drift profits to USDC, connected them to Ethereum, changed them to ETH, and have not moved them since the day of the theft, which is consistent with the DPRK’s patient, multi-year withdrawal pattern.
Instead, Lazarus took his profits from KelpDAO and immediately laundered them through THORChain and Umbra, which is run almost entirely by Chinese brokers operating the well-documented TraderTraitor manual, the report explains.
The Kelp DAO exploit triggered DeFi’s biggest losses, as $13 billion left several lending platforms, most notably Aave, which lost $8.54 billion in deposits in 48 hours, leaving it with a nearly $200 bad debt crisis, which industry participants are now helping it alleviate with $300 million in pledges.
