Key takeaways
- TRM Labs says North Korean groups stole $577 million through April across two attacks.
- Drift Protocol lost $285 million after months of social engineering against protocol signers.
- KelpDAO lost $292 million after a LayerZero bridge design flaw enabled a drain.
Fewer Hits, Bigger Drains
North Korea's hacking machine is winning through precision rather than volume. TRM Labs said North Korean groups stole about $577 million through April 2026, equal to 76% of all tracked crypto hack losses, with just two major attacks.
The numbers are blunt. Drift Protocol lost $285 million on April 1. KelpDAO lost $292 million on April 18. Together, those two incidents made up only 3% of 2026 incident count, according to TRM, yet dominated the value stolen across the ecosystem.
That is the uncomfortable part for protocol teams. A lower attack count can still mean a worse year if the targets are larger, the preparation is deeper, and the blast radius reaches across bridges, signers, and exchanges. North Korea does not need constant noise when one clean hit can fund serious state priorities.
The Attack Surface Is Human And Institutional
The Drift breach was more than a simple smart-contract bug. TRM described three weeks of pre-attack staging and months of targeted social engineering against protocol signers before the drain happened in roughly 12 minutes. That is a spy-service rhythm, far removed from the cartoon version of a hacker guessing passwords.
KelpDAO showed another weak point. TRM said the exploit hit a single-verifier design flaw in a LayerZero bridge, then moved through laundering routes after $75 million was frozen on Arbitrum. The broader pattern is uncomfortable for anyone pretending decentralized finance is battle-hardened because it has dashboards, audits, and confident branding.
The value concentration also changes the security conversation. A protocol can survive many low-level probes and still fail catastrophically when governance, bridges, or signers become the real target. That is why attack count can look calm while the risk curve gets steeper. For DeFi teams, security has to cover signer behavior, bridge dependencies, response timing, exchange monitoring, and the human layer attackers study for months.
Bridges Are Becoming State Targets
TRM warned that bridge and cross-chain infrastructure remain priority monitoring channels for North Korean proceeds. The report said KelpDAO funds moved through THORChain and that screening only first-hop addresses can miss funds that pass through intermediary wallets before reaching exchanges.
That is the larger point. The attacker does not need to break every wallet. A rogue state can focus on high-value protocol machinery, signer workflows, bridge validators, and laundering paths. If a single operational mistake opens a nine-figure door, the state actor only needs a few doors. Monitoring also has to follow funds beyond the first wallet hop, because bridges and pools can move faster than attribution labels.
Why It Matters
This is what happens when the sh!tcoin complex treats financial infrastructure like an experiment with token incentives attached. A hostile state does not care about roadmaps, communities, or total value locked. It cares about extraction.
Bitcoin security culture is annoying for a reason. Self-custody, conservative protocol changes, simple attack surfaces, and adversarial thinking are not aesthetic preferences. They are defenses against professional attackers with time, budgets, and patience.
