North Korea’s Crypto Heists: How Two Attacks Stole the Majority of 2026 Loot

North Korea’s cyber gang has taken a huge chunk of the crypto world’s losses this year. In April alone, two carefully planned attacks removed almost three‑quarters of all the money that hackers have pulled from digital wallets so far in 2026. The first hit was on a platform called Drift Protocol on April 1. The thieves had spent months building trust with people inside the company, a move that is unusual for North Korean hackers. They used a feature of the Solana blockchain that lets a transaction be signed ahead of time and sent later. On the day of the attack, they moved 31 withdrawals in just about 12 minutes, taking out real coins such as USDC and JLP. The stolen money was then shifted to Ethereum, where it sat idle for a while. The second attack happened on April 18 against Kelp DAO. This time the attackers broke into two internal nodes and then overloaded external ones with a denial‑of‑service attack. The result was that the bridge’s only verifier received false data, thinking a certain amount of coins had been burned on another chain when they hadn’t. This trick let the hackers drain about 116, 500 rsETH—worth roughly $292 million—from a bridge contract that was meant to move tokens between chains.These two incidents alone account for 76 percent of all crypto theft tracked by TRM Labs up to April, even though they represent only 3 percent of the total number of attacks recorded. Since 2017, North Korean‑linked hackers have stolen more than $6 billion from crypto projects. Their share of the total crypto theft has grown steadily: under 10 percent in 2020–21, rising to 22 percent in 2022, 37 percent in 2023, 39 percent in 2024, and 64 percent in 2025. The current figure of 76 percent is the highest share ever seen. After the Kelp DAO theft, an emergency action by the Arbitrum Security Council froze about $75 million of the stolen funds still on the network. That move prompted a quick money‑laundering response: roughly $175 million in ETH was swapped to Bitcoin, mostly via THORChain, a cross‑chain protocol that does not require identity verification. THORChain handled most of the proceeds from both the Bybit breach in 2025 (the largest theft ever, over $1. 4 billion) and the Kelp DAO hack in 2026, converting large sums of stolen ETH into Bitcoin without any operator stopping the transfers. Experts say that North Korean hackers are improving their techniques. They may now be using artificial‑intelligence tools to plan attacks and manipulate social engineering more precisely. The level of detail in the Drift Protocol breach—weeks of targeted manipulation of complex blockchain mechanisms—suggests a new focus on high‑precision, low‑frequency operations that can avoid detection.