North Korean government-backed hackers are becoming more sophisticated, more precise, and now account for more than 76%, or nearly $600 million, of crypto losses this year alone.
The $285 Drift Protocol exploit, for example, involved what TRMLabs describes as a lengthy and “unprecedented in-person social engineering” attack. This included months of in-person meetings between North Korean proxies and Drift employees.
“North Korean proxies sitting at a table with protocol employees for several months. This is, to my knowledge, unprecedented in North Korea’s crypto hacking campaign,” Ari Redbord, global head of policy and government affairs at TRMLabs, told CoinDesk. “It’s no longer just a simple remote keyboard operation. »
Ari’s comments come with a new report from TRMLabs released Thursday, which highlights how North Korea’s two major hacking groups, the DPRK and Lazarus, are responsible for 76% of all crypto losses from hacks and exploits in 2026.
“What we are seeing is not a broader North Korean campaign, but a more pointed campaign,” Redbord said in the report. “North Korea is advancing faster and more precisely than ever before.”
“North Korea’s cumulative crypto theft now exceeds $6 billion in attributed incidents since 2017,” the TRM Labs report adds.
TRMLabs’ findings coincide with a Wasabi Protocol exploit using a playbook similar to the April 19 Drift hack, where attackers used a compromised deployment key without a timelock or multisig to drain $4.5 million.
The $292 million KelpDAO breach exploited a flaw known to a single verifier that LayerZero had repeatedly warned about.
The playbook was very different from the Drift exploit, according to TRMLabs. The hackers converted Drift’s proceeds to USDC, bridged to Ethereum, swapped for ETH, and have not moved them since the day of the theft, consistent with the DPRK’s patient, multi-year withdrawal model.
In contrast, Lazarus took profits from KelpDAO and immediately laundered them through THORChain and Umbra, which are almost entirely managed by Chinese intermediaries operating the well-documented TraderTraitor playbook, the report explains.
The Kelp DAO exploit triggered DeFi’s biggest wipeouts as $13 billion left multiple lending platforms, including Aave, which lost $8.54 billion in deposits in 48 hours, leaving it with a nearly $200 bad debt crisis, which industry players are now helping it alleviate with $300 million in pledges.
