A new crypto crime report by TRM Labs paints a stark picture of how North Korean hacking groups have been operating in 2026 so far. Through April, they were responsible for 76% of all losses tied to crypto hacks, but the report emphasizes that this outcome wasn’t driven by a steady stream of attacks. Instead, the massive share of stolen value comes down to just two incidents whose combined haul—about $577 million—far outweighed everything else that year. Two Crypto Hacks, Nearly $600M Stolen The first breach highlighted by TRM Labs took place on April 1: the Drift Protocol hack. The report puts the value stolen at $285 million. The second incident followed on April 18, when the KelpDAO bridge exploit reportedly resulted in $292 million in losses. Related Reading: Hyperliquid Jumps Into The Betting Boom With New ‘Outcome Tokens’ For Real-World Events What’s striking is that these two events account for only about 3% of the total number of crypto incidents in 2026 during that period. Yet together, they represent 76% of the stolen value, underlining a pattern the report says has defined North Korea’s approach across most years since 2017—relatively few attacks, but extremely outsized payouts. The report also charts how North Korea’s share of crypto hack losses has grown over time. It notes that the figure was under 10% in 2020 and 2021, then rose to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The 76% figure through April 2026 is described as the highest sustained share on record, suggesting that the pattern seen in recent years is not just continuing, but accelerating. April Sets New Record Of Incidents TRM Labs details how the Drift Protocol hack was carried out, focusing on the time and preparation that preceded the actual drain. The crypto hack involved about three weeks of pre-attack staging. It also included months of social engineering intended to compromise protocol signers. Once the attackers were in position, the full drain reportedly took place in roughly 12 minutes, showing how planning can turn into rapid theft at the moment of execution. Related Reading: A Stealth Force In Derivatives—Why Bitcoin Can’t Punch Past $80,000 Yet The KelpDAO hack, dated April 18, followed a very different technical path. According to TRM Labs’ crypto crime report, the exploit centered on a flaw in a single-verifier design used in a LayerZero bridge. After the breach, the attackers moved quickly into laundering: they routed proceeds through THORChain after more than $75 million was frozen on the Arbitrum blockchain (ARB). The findings align with another data point from the broader crypto ecosystem. DeFiLlama, which tracks activity and incidents in decentralized finance (DeFi), flagged April as the most-hacked month in crypto history by number of incidents. Featured image created with OpenArt, chart from TradingView.com
