North Korean hackers steal $6B+; 76% of 2026 losses

TRM Labs says North Korean hackers have stolen $6B+ in crypto since 2017. In 2026 (through April), they account for 76% of tracked hack losses by value—an extreme concentration driven mainly by two April DeFi breaches. First, on April 1, North Korean hackers exploited Drift Protocol for about $285M. TRM describes months of “patient” social-engineering staging, including in-person meetings with Drift staff. Using Solana’s durable nonce feature, attackers executed 31 withdrawals in ~12 minutes. Funds in USDC and JLP were moved to Ethereum and reportedly left dormant. Second, on April 18, North Korean hackers targeted Kelp DAO for about $292M. TRM reports compromised RPC nodes plus a DoS on external nodes caused the bridge’s single verifier to accept poisoned data. Roughly 116,500 rsETH (about $292M) was drained from the Ethereum bridge contract. After the Kelp DAO incident, “DeFi United” led a rescue raising ~132,650 ETH (~$303M). The Arbitrum Security Council froze about $75M of stolen funds, and later ~1.75e8 ETH was swapped into BTC, largely via THORChain. For traders, the repeated, highly precise targeting of bridges and core DeFi infrastructure increases counterparty and smart-risk stress—likely to pressure risk appetite around similar bridge/DeFi names.