How much has been stolen by North Korea-linked hackers in 2026?

TRM Labs estimates approximately $577 million through April 30, representing 76% of all crypto hack losses tracked by the firm this year.

Which protocols were the largest victims?

KelpDAO, an Ethereum restaking protocol, and Drift Protocol, a Solana-based perpetual futures exchange, accounted for the bulk of the 2026 losses TRM attributed to DPRK-linked actors.

How does this compare to prior years?

DPRK-linked theft topped $1.3 billion in 2024, the record on Chainalysis and TRM data. The 2026 pace and concentration ratio suggest this year could approach that level if the trend holds.

What can users do to reduce exposure?

Diversify across protocols, avoid concentrating funds in newer restaking or cross-chain venues without independent risk reviews, and monitor OFAC sanctions lists when interacting with mixers or unfamiliar deposit addresses.

TRM Labs Pins 76% of 2026 Crypto Thefts on North Korea-Linked Hackers After KelpDAO, Drift Hits

TRM Labs reported on Thursday that North Korea-linked hackers have stolen roughly $577 million in crypto so far in 2026, accounting for 76% of all hack losses tracked by the blockchain intelligence firm. The bulk of the damage traces to two incidents: a breach at restaking protocol KelpDAO and an exploit at perpetuals venue Drift Protocol. The figure covers thefts logged through April 30.

By Clara Hoffmann· L2 & scaling

What happened

TRM Labs published a report Thursday saying organizations linked to the Democratic People's Republic of Korea have stolen about $577 million in crypto in 2026 through April 30, per Crypto. News. That figure represents 76% of all crypto hack losses the firm has tracked this year.

Two incidents account for most of the total. KelpDAO, the Ethereum restaking protocol, was breached in a hit that drained a meaningful share of vault deposits. Drift Protocol, the Solana-based perpetual futures venue, suffered a separate exploit.

TRM did not release per-incident attribution figures alongside the topline number, but its analysts stitched the totals together using on-chain forensics that tie wallet clusters to prior DPRK-linked operations. The headline figure puts 2026 on pace to challenge 2024's record year, when DPRK-linked theft topped $1. 3 billion.

Why it matters

The concentration ratio is the story. When 76% of stolen crypto in a calendar year traces back to a single state-aligned actor, the threat model collapses into one question: how does the industry harden against North Korea specifically. The DPRK's cyber units have moved from exchange hits in 2018-2020, to bridge exploits in 2022-2023, to DeFi protocol breaches in 2024-2025, and now to restaking and perp infrastructure in 2026.

Each pivot has tracked the migration of liquidity. Pyongyang funds its weapons programs with this revenue, per repeated US Treasury and UN Panel of Experts findings, which is why every TRM or Chainalysis attribution doubles as a sanctions enforcement signal. It also matters for protocol due diligence.

KelpDAO and Drift were not obscure. Both ran public audits and bug bounty programs. The lesson institutional allocators will draw is that audit coverage is necessary, not sufficient.

TRM Labs Pins 76% of 2026 Crypto Thefts on North Korea-Linked Hackers After KelpDAO, Drift Hits

What happened

Why it matters

Market impact

What to watch

Disclaimer

Key takeaways

Frequently asked

Sources