Since the start of 2026, North Korean hackers have stolen $577 million in crypto assets, making them the most profitable operation in the cryptocurrency market. GetBlock AML Research explains why North Korean operators are now dominating the crypto landscape.

Key Takeaways

• North Korean hackers linked to two separate groups stole approximately $577 million since the beginning of 2026. By April, that represented 76% of all losses from crypto project hacks — despite involving only a handful of confirmed attacks.
• The Drift Protocol hack ($285 million, April 1) involved three weeks of on-chain preparation and months of social engineering targeting transaction signers. The actual fund extraction took roughly 12 minutes.
• The KelpDAO attack ($292 million, April 18) exploited a vulnerability in the LayerZero bridge caused by reliance on a single validator for transaction verification. After roughly $75 million was frozen on Arbitrum, the attackers laundered funds through THORChain.
• These two attacks demonstrate different laundering strategies: in Drift’s case, the funds were quickly moved into Ethereum and then left untouched, while the KelpDAO attackers shifted into Bitcoin through THORChain and began gradually liquidating assets using a more traditional laundering model.
• THORChain processed most of the funds following both the 2025 Bybit hack and the 2026 KelpDAO attack, converting hundreds of millions of dollars from ETH to BTC without any intervention — effectively becoming the standard infrastructure for major North Korean operations.
• The Beacon Network, which includes more than 30 participants such as major exchanges and DeFi protocols, enables real-time alerts when North Korea-linked funds move onto platforms — before the assets are fully cashed out.
• Total crypto thefts attributed to North Korea since 2017 now exceed $6 billion.

North Korea’s Share of Crypto Theft Keeps Growing

North Korea’s share of stolen crypto assets has risen dramatically — from under 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. By April 2026, that figure had climbed to 76%, the highest level on record.

North Korea’s share of stolen crypto assets since 2017. Source: TRM Labs

The surge in 2025 was driven almost entirely by the February Bybit hack, when $1.46 billion was drained from a cold wallet through a compromised Safe{Wallet} signing interface. The incident remains the largest hack in crypto history. Combined with the KelpDAO and Drift attacks, it marks one of North Korea’s most profitable periods to date.

What’s notable is that the frequency of attacks hasn’t increased. North Korea’s primary hacking groups still conduct only a limited number of operations each year, but every attack is meticulously planned and aimed at high-value targets. Just two hacks accounted for 76% of all crypto losses in 2026. The attackers are not striking more often — they are striking more precisely.

How North Korean IT specialists bypass sanctions and earn millions

North Korea uses IT specialists with fake identities to work for international companies. The income they generate may be funneled into state programs while bypassing sanctions

Читать дальше

The complexity of these attacks has also evolved. Analysts believe North Korean operators are increasingly using AI-driven tools for reconnaissance and social engineering. That aligns with the growing sophistication of attacks like Drift, which required weeks of manipulation involving advanced blockchain mechanics rather than simple private-key theft.

Drift Protocol: $285 Million Stolen, Funds Remain Dormant

Early investigations link the Drift Protocol attack to North Korean hackers. Researchers believe the group involved is separate from TraderTraitor, though attribution is still ongoing.

The on-chain preparation began on March 11 with a single 10 ETH withdrawal through Tornado Cash. But the broader operation started much earlier and reportedly included months of preparation — even involving in-person meetings between North Korean intermediaries and Drift employees, which is highly unusual for this type of attack.

The exploit relied on Solana’s “durable nonce” mechanism. Under normal conditions, Solana transactions expire after roughly 90 seconds if left unconfirmed. Durable nonces allow transactions to be signed in advance and broadcast later, a feature originally designed for offline signing.

Between March 23 and March 30, the attackers created nonce accounts and convinced members of Drift’s multisig security council to pre-sign transactions. On March 27, Drift changed its security configuration to a 2-of-5 multisig setup with no time delay — the exact change exploited during the attack.

Drift Protocol hack for $286 million: causes of the attack and fund movements

After the exploit, the funds were quickly moved across multiple blockchains to make tracking more difficult. Such attacks are becoming systemic and may impact the entire crypto market

Читать дальше

At the same time, the attackers created a fake token called CarbonVote Token (CVT), added minimal liquidity, and artificially inflated its price through wash trading. Drift’s oracles accepted the token as a legitimate asset and used it as collateral.

On April 1, the pre-signed transactions were activated: 31 withdrawal operations were executed in roughly 12 minutes, including real assets such as USDC and JLP.

Most of the stolen funds were bridged into Ethereum within hours of the attack. Since then, the assets have remained untouched. Investigators believe the group may slowly cash out the funds over months or even years.

Movement of stolen Drift Protocol funds. Source: TRM Labs

KelpDAO: $292 Million Moved Through the Same Infrastructure Used in the Bybit Attack

The April 18 attack targeted KelpDAO’s rsETH LayerZero bridge on Ethereum.

The attackers first compromised two internal RPC nodes, replacing their software so they would report false blockchain state data. They then launched a DDoS attack against external nodes, forcing the system to rely solely on the compromised data sources.

Those nodes falsely reported that rsETH tokens had been “burned” on the source chain, even though no such burn had occurred. Relying on the manipulated data, the single validator approved the transaction as legitimate. The attackers ultimately withdrew approximately 116,500 rsETH worth around $292 million.

The core vulnerability was the use of a single validator. While LayerZero’s architecture supports multiple independent verifiers, only one validator was used in this implementation — making the exploit possible.

Two Hacks, Two Laundering Strategies

The Drift and KelpDAO attacks reveal two different laundering models shaped by different operational constraints.

In Drift’s case, the stolen assets were converted into USDC, bridged into Ethereum, swapped for ETH, distributed across fresh wallets, and then left dormant. This follows the classic North Korean strategy of holding assets long-term before gradually cashing out.

In the KelpDAO case, resilience became the priority. After the exploit, the attackers left roughly 30,766 ETH on Arbitrum — a network with a higher degree of centralization. Arbitrum’s security council used emergency powers to freeze those funds, worth approximately $75 million. That forced the hackers to rapidly change tactics.

Around $175 million in ETH was converted into Bitcoin, primarily through THORChain, a protocol with no KYC requirements. The attackers also used the privacy tool Umbra to obscure wallet connections.

North Korean hackers: the complete dossier, description of methods and chronology of cryptocurrency thefts

Over the past few years, North Korea’s cyber units have carried out large-scale operations to infiltrate various structures and steal digital assets

Читать дальше

At this stage, the KelpDAO laundering operation appears to follow the classic TraderTraitor playbook, with intermediaries — rather than North Korean operators themselves — handling much of the downstream cash-out process.

What Compliance Teams Should Monitor

Compliance teams should increase scrutiny of financial flows involving THORChain.

THORChain Flows Connected to KelpDAO

KelpDAO is only the latest example in a long series of attacks where funds moved through THORChain. In 2025, most of the assets stolen from Bybit were converted from ETH into BTC through THORChain between February 24 and March 2. The protocol processed an unprecedented spike in cross-chain volume without intervention.

The KelpDAO attack repeated the same pattern in April 2026, with approximately $175 million in ETH moving through THORChain after some assets were frozen on Arbitrum. THORChain developers and validators maintain that the protocol is fully decentralized and incapable of blocking transactions. However, public statements from project participants suggest the reality may be more complicated.

Six months after the $1,5 billion Bybit hack. How the incident changed the industry

North Korean hackers behind the Bybit hack had to invent new ways to launder cryptocurrency because they found themselves in a situation unique to the industry

Читать дальше

For North Korean operators, THORChain has become a reliable laundering channel: assets enter as ETH and emerge as BTC. Exchanges receiving Bitcoin from THORChain liquidity pools should screen these inflows against addresses linked to KelpDAO and other North Korean groups.

Multisig and Governance Vulnerabilities on Solana

The Drift attack targeted governance infrastructure rather than application business logic. Protocols using Solana Security Council multisigs combined with durable nonce mechanisms should treat this incident as a blueprint for future attacks.

Exchanges accepting deposits originating from Solana DeFi protocols should monitor bridge activity connected to the Drift exploit, including routes involving Jupiter and Wormhole.

Monitoring Multi-Hop Cross-Chain Transfers

Both KelpDAO and Bybit relied on bridges and cross-chain infrastructure either during the attack or in subsequent laundering stages. Monitoring bridge-to-exchange flows is therefore critical. Screening only the first receiving address is no longer sufficient — funds may pass through multiple intermediary wallets across several chains.

Compliance teams need full transaction-chain analysis spanning multiple blockchain hops.

Joining the Beacon Network for Real-Time Alerts

The two largest attacks of 2026 both targeted DeFi protocols. Many of those protocols are now part of the Beacon Network alongside major exchanges including Coinbase, Binance, Kraken, OKX, and Crypto.com.

When investigators flag addresses controlled by attackers, the system automatically tracks fund movements in real time and distributes alerts across the network.

Traditional screening systems detect only already-known addresses, but Beacon Network reduces response time from days to minutes — allowing platforms to react before stolen assets are fully laundered.