North Korean state-backed hackers have stolen more than $6 billion in cryptocurrency since 2017, accounting for 76% of all crypto hack losses in 2026. The groups, including Lazarus and DPRK, drained $577 million from DeFi platforms in April alone. TRM Labs highlighted a shift to sophisticated tactics, including in-person social engineering.
North Korean hackers linked to Pyongyang have amassed over $6 billion from cryptocurrency thefts since 2017, according to a TRM Labs report. The firm attributes 76% of 2026's crypto scam and hack losses—nearly $600 million—to these state-backed groups, primarily Lazarus and DPRK. A key example is the $285 million exploit of Drift Protocol on April 19, where attackers used months-long in-person social engineering with protocol employees. “North Korean proxies sitting across a table from protocol employees over a period of months. That is, to my knowledge, unprecedented in North Korea's crypto hacking campaign,” said Ari Redbord, TRM Labs' global head of policy and government affairs. He described the operations as no longer just remote keyboard attacks but sharper and more precise. The Drift hackers converted proceeds to USDC, bridged to Ethereum, swapped to ETH, and have held them since the theft, matching DPRK's patient cashout patterns. Other incidents underscore the escalating threat. Attackers drained $577 million from two DeFi platforms in April, while a $4.5 million Wasabi Protocol exploit involved a compromised deployer key. The $292 million KelpDAO breach, blamed on Lazarus, exploited a known flaw, triggering $13 billion in outflows from lending platforms like Aave and creating a $200 million bad-debt crisis now under industry backstop efforts. TRM Labs noted the hackers' growing speed and sophistication, moving faster than ever in targeting crypto markets.
