North Korean government-backed hackers are becoming increasingly sophisticated and more precise, currently responsible for more than 76% of cryptocurrency losses, or nearly $600 million, this year alone.
For example, the $285 Drift Protocol vulnerability involved what TRMLabs described as a long-term and “unprecedented face-to-face social engineering” attack. These included months of face-to-face meetings between North Korean agents and Drift employees.
“Over the course of several months, North Korean agents sat across the table from protocol employees. To my knowledge, this is unprecedented in North Korea’s cryptocurrency hacking operations,” Ari Redbord, global director of policy and government affairs at TRMLabs, told CoinDesk. “This is no longer just remote keyboarding.”
Ari’s comments come alongside a new report released by TRMLabs on Thursday, which highlights that North Korea’s two main hacking groups, DPRK and Lazarus, are responsible for 76% of all cryptocurrency losses due to hacks and exploits in 2026.
“What we are seeing is not a broader campaign by North Korea, but a sharper one,” Redbold said in the report. “North Korea is acting faster and with more precision than ever before.”
The TRM Labs report added: “Cumulative cryptocurrency theft in North Korea has exceeded $6 billion since 2017.”
TRMLabs’ findings are consistent with the Wasabi protocol vulnerability, which exploited a similar playbook to Drift’s April 19 hack, in which attackers used compromised deployer keys without timelocks or multi-signatures and lost $4.5 million.
The $292 million KelpDAO vulnerability exploited a single known validator flaw that LayerZero warned about multiple times.
According to TRMLabs, the playbook is significantly different from the Drift exploit. The hackers converted Drift proceeds to USDC, bridged to Ethereum, exchanged them for ETH, and have not moved them since the date of the theft, which is consistent with North Korea’s patient, multi-year cash-out pattern.
In contrast, Lazarus took their KelpDAO proceeds and immediately laundered them through THORChain and Umbra, which were handled almost entirely by Chinese intermediaries operating the well-documented TraderTraitor playbook, the report explains.
The Kelp DAO vulnerability triggered the largest loss in DeFi, with multiple lending platforms losing $13 billion, the most notable of which was Aave, which lost $8.54 billion in deposits within 48 hours, causing it to fall into a bad debt crisis of nearly $200. Industry players are now helping it alleviate the crisis through a $300 million commitment.