Back

North Korea Linked to 76% of 2026 Crypto Hack Losses, TRM Labs Says

According to TRM Labs and CoinDesk, North Korean spies stole $285 million from Drift Protocol through a prolonged social engineering operation involving repeated in-person meetings with employees.

Fact Check
The claim is directly and fully confirmed by TRM Labs' own official blog post ('North Korea Stole 76% of All Crypto Hack Value in 2026 — With Just Two Attacks'), which is the originating primary source. The Block provides granular corroboration: the $292M KelpDAO exploit (attributed to TraderTraitor/Lazarus via a compromised LayerZero bridge) and the $285M Drift Protocol attack (attributed to a separate North Korean subgroup via multisig governance manipulation), together totaling $577M and representing 76% of global crypto hack losses through April 2026. CoinDesk and crypto.news independently confirm the same figures. All key elements of the claim — the 76% share, the $577M figure, the TRM Labs attribution, and the two named attacks (KelpDAO and Drift Protocol) — are consistently supported across multiple authoritative sources published on April 30, 2026.
Summary

TRM Labs said North Korea-linked groups accounted for 76% of global crypto hack losses in the first four months of 2026, totaling $577 million. The report cited a $292 million attack on KelpDAO and a $285 million theft from Drift Protocol in April. New details reported by TRM Labs and CoinDesk say the Drift Protocol theft was carried out by North Korean spies through one of the largest social engineering attacks on a crypto protocol, following months of repeated in-person meetings with employees. TRM Labs also said North Korea has allegedly generated more than $6 billion from crypto theft since 2017.

Terms & Concepts
  • Social engineering: A type of attack that manipulates people rather than code or systems, often using deception to gain access to sensitive information or assets.
  • Crypto hack: A theft or exploit involving digital assets, usually through compromised private keys, smart contract flaws, or exchange security breaches.
  • TRM Labs: A blockchain analytics and compliance company that tracks illicit crypto activity and provides investigative data on crypto-related crime.