North Korea Stole 76% of All Crypto Hack Value in 2026 — With Just Two Attacks

In 2026, North Korean hackers executed two major attacks, resulting in an astonishing 76% of total cryptocurrency thefts, raising alarms in the crypto community.

It's hard to believe, but as of April 30, 2026, North Korean hackers have orchestrated two attacks that have resulted in a staggering **76%** of all cryptocurrency thefts this year. This eyebrow-raising statistic sets a troubling tone for the crypto community, further fueled by the sheer size and sophistication of these breaches.

How Did North Korea Execute Such Major Attacks?

The two attacks responsible for this astounding figure are the **Drift Protocol** breach on April 1 and the **KelpDAO** hack on April 18. Together, they account for approximately **USD 577 million**, with Drift Protocol losing **USD 285 million** and KelpDAO suffering a loss of **USD 292 million**.

It wasn't merely brute force behind these thefts; extensive planning and sophistication were at play. The Drift Protocol hack involved a meticulous three-week pre-attack staging phase, entailing months of social engineering to manipulate protocol signers. This sophistication culminated in the actual theft, which occurred in a matter of **12 minutes**.

What Makes KelpDAO's Hack Particularly Worrisome?

On the other hand, the KelpDAO attack exploited a **single-verifier design flaw** within a LayerZero bridge, demonstrating another level of technical prowess. Following the hack, hackers managed to launder their stolen assets through **THORChain**, after **USD 75 million** of the assets was frozen on the Arbitrum network. In contrast to Drift, which launched a brief speedrun to Ethereum, KelpDAO pivoted to Bitcoin, now undergoing a typical TraderTraitor liquidation process.

Which Tools Are Being Used for Laundering the Stolen Crypto?

THORChain has emerged as a consistent choice for North Korean hackers, serving as a critical bridge for both the **Bybit** breach in 2025 and the KelpDAO hack in 2026. This decentralized platform has enabled hackers to convert hundreds of millions of stolen **ETH** into Bitcoin effortlessly, as no operator has been willing to freeze or reject the transactions. The implications are significant, raising questions about the security protocols in place at platforms like THORChain.

What's the Bigger Picture of North Korea's Hacking Strategy?

Since 2017, North Korean hacking groups have amassed over **USD 6 billion** from crypto thefts. The **76%** figure for 2026 YTD represents a troubling increase from previous years, where their share was under **10%** in 2020 and 2021, steadily climbing to **64%** in 2025. The trend is clear: instead of launching numerous low-value attacks, these hackers are zeroing in on high-value targets.

Analysts have observed an intriguing shift in the technical execution of these attacks. There is speculation that North Korean operators may be employing **AI tools** to enhance their reconnaissance and social engineering tactics. This shift is exemplified by the advanced strategies used in the Drift heist, marking a departure from previous attacks primarily focused on simpler methods like compromising private keys.

What Can the Crypto Community Do?

In the face of such alarming statistics and developments, the crypto community must remain vigilant. TRM Labs' **Beacon Network**, involving over 30 major exchanges and DeFi protocols, aims to facilitate immediate alerts when North Korea-linked funds reach participating institutions. The system is designed to trigger alerts before transactions can clear, thus potentially cutting off these thieves from their ill-gotten gains.

Key Takeaways

  • North Korean hackers have stolen **76%** of all crypto hack value in 2026, totaling approximately **USD 577 million** from just two attacks.
  • The Drift Protocol lost **USD 285 million**, and the KelpDAO hack resulted in a loss of **USD 292 million**.
  • THORChain has become a favored platform for laundering stolen crypto, successfully processing substantial amounts from both the Drift and KelpDAO incidents.
  • North Korea's hacking strategy is increasingly sophisticated, relying on targeted attacks rather than high-volume campaigns.
  • Participation in networks like TRM’s Beacon Network could enhance the security protocols among exchanges and DeFi platforms.

As the crypto landscape continues to evolve, traders should consider staying updated on security developments and explore competitive rates across exchanges like Bybit, which you can check out via our Bybit referral page for exclusive bonuses. Understanding these risks is crucial in safeguarding your digital assets.