North Korea Stole 76% of the April 2026 Crypto Hacks in Just Two Attacks

• North Korean hackers stole $577M, 76% of all April 2026 crypto hacks via Drift Protocol and KelpDAO attacks.
• Advanced social engineering and single-verifier bridge flaws enabled the rapid, high-value drains.
• These attacks show North Korea’s dominance in crypto theft and could prompt urgent DeFi security upgrades.

North Korean hackers stole approximately $577 million in the first four months of 2026, accounting for 76% of all crypto-hack value from just two attacks. On April 1, they drained $285 million from Drift Protocol on Solana, and on April 18, they drained $292 million from KelpDAO’s LayerZero bridge. The sophisticated operations combined social engineering, durable nonces, RPC poisoning, and rapid laundering mainly through THORChain.

North Korea Dominates April 2026 Crypto Hacks With $577M Stolen

On April 30, 2026, TRM Labs reported that North Korean hacking groups accounted for 76% of all crypto hack losses through April 2026, achieving this through just two high-impact operations rather than a high volume of attacks.

Notably, the hackers breached Drift Protocol on April 1, stealing $285M, and exploited the KelpDAO bridge on April 18, extracting another $292M. Although these incidents accounted for only 3% of total hacks recorded this year, they accounted for 80% of the total stolen value.

Source: TRMLabs 

This pattern highlights the hacker’s consistent strategy of precision over quantity. Their cumulative attributed crypto theft has now surpassed $6 billion since 2017, with their share of total losses steadily climbing from under 10% in earlier years to 76% in early 2026.

Advanced Social Engineering and Bridge Vulnerabilities Drive the Attacks

The Drift Protocol attack involved extensive preparation over several months, including in-person social engineering meetings with protocol employees and three weeks of on-chain staging. Attackers exploited Solana’s durable nonce feature to obtain pre-signed authorizations from the Security Council multisig and created a fake CarbonVote token through wash trading to manipulate oracles. They executed 31 withdrawals in about 12 minutes, draining $285M in assets, including USDC and JLP.

Furthermore, the KelpDAO attack targeted the rsETH LayerZero bridge on Ethereum by compromising internal RPC nodes and launching a DDoS attack on external ones. This forced the system to rely on poisoned data sources. The single-verifier setup then approved a fraudulent burn message that never occurred, allowing the draining of approximately 116,500 rsETH, valued at $292M.

What’s Next?

These attacks show North Korea’s dominance in crypto theft, demonstrating how nation-state actors are refining highly targeted techniques against governance mechanisms and cross-chain bridges, raising the bar for the entire industry. 

As these sophisticated operations continue, the industry may see urgent, widespread security and compliance upgrades. According to Chainalysis reports, DPRK-linked thefts reached record levels of $2.02B in 2025 and early 2026, with experts forecasting that annual nation-state crypto thefts could exceed $3-4B by 2027–2028 if current trends in social engineering, AI-assisted attacks, and bridge vulnerabilities persist.

Meanwhile, Polymarket traders currently price a near-certainty (100% YES) of multiple additional over $100M hacks before the end of 2026 alone, while broader industry analyses warn of rising attack frequency driven by geopolitical needs and advancing tools like deepfakes and autonomous AI agents.

Therefore, the coming months could mark a major turning point in how DeFi projects approach security architecture and regulatory alignment. Protocols must move quickly to implement time-locked multisig configurations, multi-verifier bridge architectures, stronger RPC node protections, and real-time on-chain monitoring systems. 

Related: DeFi Exploits Top $775M in 2026 as KelpDAO, Drift Lead Losses