North Korean Hackers Seized 76 Percent of Crypto Funds
BTC
+1.41%
ETH
+0.69%
XTZ
-0.33%
ERG
+1.32%
XRP
+0.64%
ZIL
+0.38%
North Korean state-sponsored threat actors have cemented their dominance over the illicit cryptocurrency landscape, seizing a record-breaking percentage of stolen digital assets through the first four months of 2026. This surge in activity underscores a shift toward high-value, surgical strikes against decentralized finance infrastructure.

North Korean Groups Account for 76 Percent of Total Crypto Hack Losses

A recent report by TRM Labs reveals that North Korean hacking syndicates were responsible for 76% of all crypto-related theft between January and April 2026. This staggering figure is not the result of a high volume of small-scale attacks, but rather the consequence of two massive, highly targeted operations.

These two incidents combined for approximately $577 million in stolen funds. Despite representing less than 3% of the total number of crypto security incidents recorded during the same period, these specific attacks accounted for the overwhelming majority of the total stolen value.

Drift Protocol and KelpDAO Exploits Drive 2026 Financial Losses

The first major breach occurred on April 1, when attackers successfully compromised the Drift Protocol. This operation involved months of sophisticated social engineering to compromise protocol signers and approximately three weeks of technical staging, ultimately draining the funds in a rapid 12-minute window.

The second major event took place on April 18, targeting a bridge connected to KelpDAO. According to analysts, the exploit centered on a vulnerability within a single-verifier design implemented in a LayerZero bridge. Following the theft, attackers attempted to launder the proceeds through THORChain after over $75 million was frozen on the Arbitrum network.

Accelerating Trends in State-Sponsored Cybercrime

Historical data indicates that North Korea’s share of global crypto hack losses has been rising steadily for years. The progression of their market share of stolen value is as follows:

  • 2020-2021: Less than 10%
  • 2022: 22%
  • 2023: 37%
  • 2024: 39%
  • 2025: 64%
  • 2026 (YTD): 76%

This upward trajectory signals that the strategy of executing fewer, but significantly larger, attacks is becoming increasingly effective for these threat actors. The current 76% figure represents the highest sustained share on record, confirming an accelerating trend of targeted aggression against digital asset protocols.

Broad Implications for Decentralized Finance Security

The broader ecosystem is feeling the pressure from these high-profile breaches. DeFiLlama, which tracks activity across the decentralized finance sector, has officially identified April 2026 as the most-hacked month in the history of the industry by total number of incidents.

These events highlight critical weaknesses in current bridge security and the ongoing challenges of asset recovery after a successful exploit. The ability of hackers to quickly move funds through decentralized mixers and cross-chain protocols remains a significant hurdle for law enforcement and security firms.

Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates

RELATED ARTICLESMORE FROM AUTHOR