North Korean Hackers Stole $6B Crypto; 76% of 2026's Thefts in Two Attacks
North Korean hackers stole 76% of all crypto theft value in 2026, executing $285M Drift Protocol and $292M Kelp DAO breaches. TRM Labs reports total theft from North Korea since 2017 exceeds $6B, with laundered funds moving via THORChain.
Quick Take
Drift Protocol: $285M hack via social engineering and durable nonce.
Kelp DAO: $292M exploit via RPC node compromise and bridge flaw.
Arbitrum froze $75M; remaining swapped to BTC via THORChain.
North Korea concentration in crypto theft now at 76% in 2026.
Market Impact Analysis
BearishLarge-scale DeFi hacks undermine confidence in crypto security and could trigger sell-offs and regulatory scrutiny.
Speculation Analysis
Key Takeaways
- North Korea executed two DeFi attacks in April, stealing $577M—76% of 2026’s total crypto theft value.
- Drift Protocol lost $285M via months of social engineering and Solana’s durable nonce feature.
- Kelp DAO’s $292M exploit leveraged RPC node compromise and a single-verifier bridge flaw.
- Arbitrum froze $75M of stolen funds; remaining ETH was swapped to BTC through THORChain.
- Total crypto stolen by North Korea since 2017 has crossed $6 billion, per TRM Labs.
What Happened
North Korean state-linked hackers pulled off two of the year’s largest DeFi thefts in April, draining a combined $577 million from Drift Protocol and Kelp DAO. The attacks accounted for 76% of all crypto stolen through April 2026, despite making up just 3% of incident count tracked by TRM Labs. The Drift Protocol breach on April 1 saw attackers use months of in-person social engineering to compromise the Solana-based platform, exploiting a durable nonce feature to execute 31 withdrawals in 12 minutes. Less than three weeks later, Kelp DAO lost $292 million after hackers compromised internal RPC nodes and forced the Ethereum bridge’s single verifier to accept falsified data. Together, the two incidents pushed North Korea’s total crypto theft since 2017 past $6 billion.
The Numbers
The April attacks concentrated massive value. Drift Protocol lost $285 million in USDC and JLP, while Kelp DAO saw 116,500 rsETH drained—worth $292 million at the time. North Korea’s share of total crypto hack losses has increased dramatically: from under 10% in 2020–2021, to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The 2026 figure stands at 76%. Following the Kelp exploit, Arbitrum’s Security Council froze roughly $75 million left on its network—a rare emergency move. The remaining $175 million in ether was quickly swapped to bitcoin, primarily through THORChain, with funds already settled into dormant wallets.
Why It Happened
Both attacks showcased North Korea’s increasing sophistication. The Drift Protocol hack involved attackers meeting Drift employees in person over months—a level of social engineering TRM Labs called potentially unprecedented. On the technical side, the attackers leveraged Solana’s durable nonce to hold and later deploy pre-signed transactions. Kelp DAO was felled by a combination of RPC node compromise and a denial-of-service attack that isolated the bridge’s single verifier, a design vulnerability common in cross-chain infrastructure. The urgency to launder funds after the $75 million freeze highlights North Korea’s rapid-response money-laundering playbook, with THORChain emerging as a preferred route due to its lack of know-your-customer requirements. These attacks reflect a growing trend: Pyongyang is concentrating its efforts on DeFi protocols where technical complexity and high total value locked provide both opportunity and cover.
Broader Impact
The back-to-back hacks have shaken DeFi’s security narrative. Solana and Ethereum-based protocols face immediate trust deficits, potentially triggering outflows and regulatory attention on bridge architectures. Arbitrum’s emergency freeze—while effective—raises concerns about decentralization after a core team unilaterally blocked funds. THORChain’s role in laundering has reignited debate over non-KYC cross-chain services. Markets responded bearishly, with SOL and ETH facing short-term sell pressure. Longer term, these incidents may accelerate development of multi-verifier bridges and push regulators toward stricter oversight of DeFi money-laundering vectors.
What to Watch Next
- Arbitrum’s $75M freeze: Whether the frozen funds lead to legal forfeiture or establish a precedent for decentralized networks to intervene in thefts.
- THORChain scrutiny: Regulators may target non-KYC bridges, especially as North Korea’s use of them becomes systematic.
- AI-powered attacks: Analysts expect Pyongyang to integrate AI into future operations, potentially raising the scale and frequency of DeFi exploits.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
