North Korean hackers have stolen nearly three-quarters of all cryptocurrency taken by cybercriminals so far this year—not through a relentless campaign of attacks, but through two precisely executed heists targeting decentralized finance platforms in April, according to a new report from blockchain intelligence firm TRM Labs.

The two incidents—a $285 million breach of Drift Protocol on April 1 and a $292 million exploit of Kelp DAO on April 18—together account for 76% of all crypto hack losses tracked through April, despite representing just 3% of the total number of incidents recorded.

All told, TRM Labs estimates that North Korean-linked hackers have swiped over $6 billion from crypto protocols and projects since 2017, including some of the industry’s worst-ever heists.

The figures reflect an accelerating concentration of cryptocurrency theft by state-linked North Korean operatives. Pyongyang’s share of total crypto hack losses has grown from under 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The 2026 figure of 76% through April is the highest sustained share on record.

The Drift Protocol attack was remarkable for its patience. On-chain staging began March 11, and the campaign involved in-person meetings between North Korean proxies and Drift employees over a period of months—a tactic TRM analysts described as potentially unprecedented in North Korea’s lengthy crypto hacking campaign.

The attackers exploited a Solana feature called a durable nonce, which allows pre-signed transactions to be held and deployed at a later time. On April 1, 31 withdrawals executed in approximately 12 minutes, draining real assets including USDC and JLP. The stolen funds were quickly moved to Ethereum and have sat dormant since.

The Kelp DAO attack took a different route. The attackers compromised two internal RPC nodes and then launched a denial-of-service attack against external nodes, forcing the bridge’s single verifier to rely on the poisoned data sources. Those nodes falsely reported that the underlying asset had been burned on the source chain when no such action had occurred, and approximately 116,500 rsETH—worth roughly $292 million—was drained from the Ethereum bridge contract.

After the Kelp DAO theft, the Arbitrum Security Council exercised emergency powers to freeze roughly $75 million of the stolen funds that had been left on the network—a rare intervention that prompted a rapid laundering response. Approximately $175 million in ETH was then swapped to Bitcoin, mostly through THORChain, a cross-chain liquidity protocol with no know-your-customer requirement.

THORChain processed the vast majority of proceeds from both the Bybit breach in 2025—the industry’s worst-ever theft, with over $1.4 billion in crypto stolen—and the Kelp DAO hack in 2026, converting hundreds of millions in stolen ETH to Bitcoin with no operator willing to freeze or reject transfers.

TRM analysts noted that the group appears to be sharpening its tools: Analysts have begun to speculate that North Korean operators are incorporating AI tools into their reconnaissance and social engineering workflows, a development consistent with the increasing precision of attacks like Drift, which required weeks of targeted manipulation of complex blockchain mechanisms.