North Korea stole $577 million of the $651 million lost to crypto hacks in the first four months of 2026, according to TRM Labs data published in May 2026. That is 76% of all hack-related losses in the sector, concentrated in just two operations. Both were attributed to TraderTraitor, a subgroup of the Lazarus Group.
Key Data
- DPRK losses Jan-Apr 2026 $577,000,000
- Total crypto hack losses (Apr 2026) $651,000,000
- DPRK share of total 76%
- Drift Protocol (Apr 1, TraderTraitor) $285,000,000
- Kelp DAO (Apr 18, TraderTraitor) $292,000,000
- April 2026: worst month since Feb 2025 $651M total
Source: TRM Labs, Chainalysis, Elliptic · May 2026
Source: TRM Labs, Chainalysis, Elliptic · May 2026
Two attacks. Two completely different protocols. Same actor, same month. Drift Protocol lost $285 million on Solana on April 1, in an operation attributed to the TraderTraitor subgroup of the Lazarus Group by both Elliptic and TRM Labs. Kelp DAO lost $292 million on April 18, same unit, entirely different vector: a LayerZero bridge compromise rather than Solana-side social engineering. North Korea wasn't improvising. TraderTraitor was running parallel operations simultaneously.
Security Incident Report
- Protocol Drift Protocol (Solana)
- Amount stolen $285,000,000
- Date April 1, 2026
- Attack Vector Long-term infiltration: CarbonVote Token (CVT) created on March 11, systematic wash trading, then Drift vault exploit in 12 minutes. Funds bridged via Circle CCTP from Solana to Ethereum in 6 hours during US business hours.
- Attribution Lazarus Group / TraderTraitor (Elliptic, TRM Labs). Timestamps consistent with Pyongyang working hours. Pre-funding from Tornado Cash: 10 ETH.
Source: Elliptic, TRM Labs, ZachXBT · April 2026
Source: Elliptic, TRM Labs, ZachXBT · April 2026
Security Incident Report
- Protocol Kelp DAO (rsETH/LayerZero)
- Amount stolen $292,000,000
- Date April 18-19, 2026
- Attack Vector LayerZero DVN RPC compromise plus DDoS on non-compromised nodes. Drain of 116,500 rsETH. Aave V3 hit by bad debt as rsETH was used as collateral.
- Attribution Lazarus Group / TraderTraitor (LayerZero official post-mortem, April 20, 2026). Approximately $175M laundered via THORChain within 36 hours.
Source: LayerZero Labs, Chainalysis, ZachXBT · April 2026
Source: LayerZero Labs, Chainalysis, ZachXBT · April 2026
For the full breakdown of the Kelp DAO exploit and the Drift Protocol case, including how the Aave post-exploit crisis resolved, read our analysis on Aave and the 95% rsETH recovery.
How Does North Korea Actually Steal Crypto?
The model has evolved well beyond a lone hacker probing smart contract code. The North Korean operation, identified by Chainalysis, TRM Labs, and FBI researchers as TraderTraitor, functions as a corporation. It recruits developers through fake job offer campaigns (the GhostHire operations documented by Cisco Talos), places them as contractors inside crypto firms, and lets them work for months as normal employees. Then, at the chosen moment, they use that internal access to compromise private keys, alter configurations, or drain wallets.
#PeckShieldAlert @THORChain has been exploited for ~$10M worth of crypto, including 36.75 $BTC ($3M) and ~$7M worth of assets from #BNBChain, #Ethereum, and #Base.
— PeckShieldAlert (@PeckShieldAlert) May 15, 2026
The stolen funds mainly sit in:
bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37… pic.twitter.com/mhWIWueVPK
The Drift case is the most thoroughly documented. Attackers created developer accounts on Solana on March 23, three weeks before the strike. They ran wash trading to make the CarbonVote Token look credible. They waited. On April 1, in 12 minutes, they emptied the vaults. Then they used Circle CCTP, the USDC cross-chain protocol, to move $232 million from Solana to Ethereum in 6 hours during US business hours. Circle did not intervene. The Lazarus Group's role in the Kelp exploit followed the same long-range planning logic.
AI is entering the playbook. The GhostCall and GhostHire campaigns documented by Cisco Talos use cloned voices and deepfakes to impersonate Web3 executives during hiring video calls, raising the success rate of infiltration attempts. This isn't yet the “AI attacks smart contracts” model benchmarked under EVMbench, but it's the precursor: AI as a preparation and cover tool before the exploit runs.
What Comes Next: THORChain and the Regulatory Gap
TRM Labs has not yet attributed the THORChain exploit of May 15 to North Korea. But if TraderTraitor involvement emerges in that $10.8 million operation, DPRK losses in 2026 would reach $588 million before mid-year. Europe's regulatory response has focused primarily on Russia, yet the North Korea file remains the sector's most concrete and least addressed security problem. OFAC sanctioned dozens of North Korean facilitators in 2026, the latest round in March. Not enough.
The THORChain community votes on its own remediation by May 22-23. If attribution shifts to include TraderTraitor, pressure will build on the sector to implement transaction-screening mechanisms that, per Chainalysis estimates, roughly 99% of bridges and cross-chain protocols currently lack. European regulators under MiCA have tools to mandate such screening for licensed CASPs operating within the EU. Whether those tools get deployed for state-level threats, rather than just retail compliance, is the question the industry should be watching. Follow all updates in the SpazioCrypto Hack section.
