North Korean government-backed hackers are becoming more sophisticated, more precise, and now account for more than 76% or nearly $600 million in crypto losses this year alone.
The $285 operating protocol exploit, for example, involved what TRMLabs describes as a lengthy and “unprecedented in-person social engineering” attack. It included months of face-to-face meetings between North Korean officials and Drift staff.
“North Korean proxies sitting across the table from protocol staff over a period of months. This is, to my knowledge, unprecedented in North Korea’s crypto-hacking campaign,” Ari Redbord, Global Head of Policy and Government Affairs at TRMLabs, told CoinDesk. “This is no longer just a keyboard remote.”
Ari’s comments accompany TRMLabs’ new report released Thursday, which highlights how North Korea’s two main hacking groups, DPRK and Lazarus, are responsible for 76% of all crypto losses to hacks and exploits in 2026.
“What we’re seeing is not a North Korean campaign that’s broader — it’s one that’s sharper,” Redbord said in the report. “North Korea is moving faster and more precisely than ever.”
“North Korea’s cumulative crypto theft now exceeds $6 billion attributed to incidents since 2017,” TRM Labs’ report adds.
TRMLabs’ findings coincide with a Wasabi protocol exploit that uses a similar playbook to Drift’s April 19 hack, where the attackers used a compromised deployer key without a timelock or multisig to drain $4.5 million.
The $292 million KelpDAO breach exploited a known single-verifier flaw that LayerZero had repeatedly warned against.
The playbook was vastly different from the Drift exploit, according to TRMLabs. Hackers converted the Drift proceeds to USDC, linked to Ethereum, exchanged to ETH and have not moved them since the day of the theft, which is consistent with the DPRK’s patient, multi-year payout pattern.
In contrast, Lazarus took their KelpDAO proceeds and immediately laundered them through THORChain and Umbra, which are handled almost entirely by Chinese middlemen running the well-documented TraderTraitor playbook, the report explains.
The Kelp DAO exploit sparked DeFi’s biggest wipeouts, as $13 billion left several lending platforms, most notably Aave’s, which lost $8.54 billion in deposits in 48 hours, leaving it with a nearly $200 million bad debt crisis, which industry players are now helping it alleviate with $300 million in commitments.
