What happened with North Korean crypto hacks in 2026?

North Korean-linked hackers stole $577 million from two DeFi platforms in April 2026, accounting for 76% of all crypto hack losses this year. The attacks targeted Drift Protocol and Kelp DAO. This highlights a sharp concentration of hacking activity from a single state-linked group.

Which platforms were hacked and how much was stolen?

The two main targets were Drift Protocol ($285 million) and Kelp DAO ($292 million). Together, these two exploits made up the majority of total crypto theft in 2026 so far. Despite being just two incidents, they dominated overall losses.

How did the Drift Protocol hack work?

The Drift Protocol attack involved months of social engineering, including reported in-person interactions with staff. Hackers used a Solana feature called a durable nonce to execute pre-signed transactions. This allowed them to withdraw funds rapidly in a coordinated attack.

How was the Kelp DAO exploit carried out?

The Kelp DAO attack exploited a blockchain bridge weakness by compromising internal RPC nodes. Hackers manipulated data so the system believed assets had been burned when they had not. This allowed them to drain around 116,500 rsETH worth $292 million.

Why does this matter for DeFi investors?

These attacks highlight structural risks in DeFi, especially around bridges and internal infrastructure. Even large protocols can be vulnerable to targeted exploits. For investors, this increases counterparty and smart contract risk.

How much crypto has North Korea stolen in total?

North Korean-linked actors have stolen over $6 billion in crypto since 2017, according to TRM Labs. Their share of global crypto theft has steadily increased, reaching 76% in 2026 so far. This shows a growing dominance in crypto-related cybercrime.

What role does THORChain play in these hacks?

THORChain has been used to move and convert stolen funds across blockchains, particularly from Ethereum to Bitcoin. It does not enforce know-your-customer (KYC) rules, making it attractive for laundering. This raises concerns about compliance gaps in decentralised infrastructure.

Were any of the stolen funds recovered?

Around $75 million from the Kelp DAO hack was frozen by Arbitrum authorities. However, a large portion of funds was quickly moved and laundered across chains. This shows recovery is possible but limited once funds start moving.

North Korea hackers steal $6B crypto surge

Written by Jon CuthbertPublished May. 1 2026Last Updated May. 1 2026

North Korean-linked hackers stole $577 million from two DeFi platforms in April, accounting for 76% of all crypto hack losses in 2026, according to TRM Labs.

The attacks targeted Drift Protocol and Kelp DAO, with exploits worth $285 million and $292 million respectively, highlighting increasing precision in state-backed crypto operations.

TRM analysts said the Drift attack involved months of preparation including in-person social engineering, while the Kelp DAO exploit relied on a blockchain bridge verification flaw.

The Drift exploit used a Solana durable nonce feature to execute 31 withdrawals in minutes, while stolen funds were later moved to Ethereum and remain largely dormant.

In contrast, the Kelp DAO attack compromised internal RPC nodes and manipulated a single verifier, enabling the theft of 116,500 rsETH before partial funds were frozen by Arbitrum authorities.

Since 2017, North Korean actors have stolen more than $6 billion in crypto, with their share of total hack activity rising sharply from under 10% in 2020 to 76% so far in 2026.

The laundering of stolen funds has increasingly relied on cross-chain platforms like THORChain, which processed large volumes of illicit transfers without enforcing identity checks.

Analysts warn the growing sophistication of these attacks, potentially enhanced by AI-driven reconnaissance, signals an escalating systemic risk to decentralised finance infrastructure.

At the time of reporting, Solana price was $82.92.