North Korea Just Robbed DeFi Again. And Again. $577 Million in Two Hits. 76% of Everything Stolen in 2026

North Korea Just Robbed DeFi Again. And Again. $577 Million in Two Hits. 76% of Everything Stolen in 2026

By Cedrus Nomad | Cedrus Alpha | 1 May 2026


You think your protocol is secure. Kim Jong Un's hackers have a different opinion.
Right now, TRM Labs released findings that might shake anyone building in DeFi, running bridges, or farming yields. Nearly $577 million vanished by April 2026 - taken by North Korea-linked groups. That sum covers 76% of every crypto theft worldwide in those months. What's the disturbing part? Only two breaches caused most of it. Though they made up just 3% of all incidents, their impact dwarfed everything else.

Two swings. $577 million. Game over for the rest of the threat landscape.

 
The Two Hits Surgical Patient Devastating
Beyond the headlines, a hole opened in Drift Protocol’s defenses come April first - $285 million gone. Weeks later, by the eighteenth, KelpDAO’s safeguards gave way too, dragging an extra $292 million into the loss column.

These were not smash and grab jobs. These were months-in-the-making operations.


Drift The Social Engineering Masterclass
On-chain staging began March 11. Instead of just hiding online, spies linked to North Korea met face-to-face with staff at Drift across several weeks. That move surprised experts who study these attacks; it’s something rarely seen before in years of similar thefts involving digital money.

A glitch in Solana’s system - one that holds signed trades until needed - got turned into an opening. By April 1, 31 withdrawals had gone through, packed into approximately 12 minutes. Funds like USDC and JLP vanished fast. In under 12 minutes, months of preparation paid off for the attackers. Twelve minutes was enough.


KelpDAO Faces Sudden Attack on the Bridge
A breach hit two inside RPC points first. Afterward, outside nodes got flooded until they stopped responding. Because of this, the bridge’s only verifier turned to corrupted feeds. These feeds claimed the base token was destroyed on the origin chain - though nothing actually happened there.

The bridge thought it saw something that did not happen. It acted on the lie. Because of that false signal, movement began where none should occur. 116,500 rsETH vanished into unknown hands. The value lost approximately $292 million.

 
The Trajectory Is Terrifying
This isn’t some sudden blip. A clear path leads directly to what you hold.

So far this year, North Korea accounts for 76% of worldwide cryptocurrency thefts. Back in 2020 and 2021, it was under 10%. By 2022, that piece jumped to nearly a quarter. Then came 39% in 2023. The following year saw just shy of two out of every five stolen digital assets tied to them. In 2025, more 64% pointed their way. Growth hasn’t slowed - instead, it keeps climbing.

Over six billion dollars in cryptocurrency theft tied to them since 2017. This isn’t some band of lone hackers working from basements. Think state-level operations instead - backed by Ethereum they’ve taken through breaches.

Polymarket traders currently price a near certainty of multiple additional over $100M hacks before the end of 2026.


They Are Getting Smarter, Possibly With AI Help
Here is the detail that changes everything.
Now comes word from TRM analysts: signs point to North Korea weaving AI into spy tactics. This shift shows up clearly in operations such as Drift, where intricate blockchain systems were bent slowly, over days on end. Precision grew sharper. Timing tightened. Each move felt more deliberate than before.

Picture how this plays out. Not just theory - real moves already happening. Deepfake calls to protocol employees who handle security steps. Machines scanning blockchains nonstop, finding weak spots like single verifier designs and admin key vulnerabilities or poorly guarded keys faster than human teams ever could.

Tools at the disposal of the DPRK’s hackers might now surpass those available to your auditors. Not only do they have more funding - their gear could simply be sharper.


The Laundering Machine THORChain as North Korea's ATM
After a theft, where is half a billion dollars headed? Nowhere near an overlooked digital vault gathering dust.

Out of the chaos came movement - THORChain handled nearly all funds siphoned during Bybit's 2025 breach. Then again in 2026, when Kelp DAO fell apart, it moved more than anyone else did. Stolen Ethereum, amounting to staggering sums, shifted into Bitcoin smoothly. Transfers flowed without resistance, quietly changing hands across chains.

Open access defines THORChain - it's built that way. This strength also brings risk, baked right in.

Laundering is handled almost entirely by Chinese intermediaries, not the North Koreans themselves. Security around these operations shows depth, skill, routine. No spur-of-the-moment moves guide this work. Years have shaped how smoothly cash exits now.

A sliver of success emerged when the Arbitrum Security Council used emergency authority to lock down around $75 million in ETH sitting on an L2 - left behind by the TraderTraitor crew. Decentralization purists had complicated feelings about that.

 

What DeFi Actually Needs to Do
Stop shipping bridge infrastructure with single verifier designs. Period.

  • Every bridge transaction needs multiple signatures before going through
  • Freezes can still happen during emergencies because of time delays built into deployment access
  • Outside testers check security prior to live launch, otherwise it's too late
  • When nodes differ enough, corrupted RPC inputs lose control over agreement
  • Protocol employee security training that accounts for real world, in-person social engineering

As these sophisticated operations continue, the industry may see urgent, widespread security and compliance upgrades. Let us be real: if the industry does not act, North Korea will keep raising its percentage. Without strong moves from businesses, Pyongyang keeps gaining more ground every day.

 
The Uncomfortable Truth
The most dangerous risk to your DeFi holdings isn’t price drops, scams, or broken voting systems. Right now, statistically, the biggest threat is a state actor operating with military discipline, AI assisted tools, and a laundering network that spans multiple continents.

Most thefts this year - nearly 76%. Just two separate incidents. Both tied to a single ruling power.

If that does not reshape how you evaluate protocol security before you ape in, nothing will.

How do you rate this article?

14


Cedrus Nomad
Cedrus Nomad

Cedars-born, chain-bound. 🌲⛓ Web3 native | Crypto wanderer Expect thorough insights as I always aim to add value


Cedrus Alpha
Cedrus Alpha

Navigating the intersection of Modular DeFi, Geopolitics, and Global Markets. High signal analysis on projects paired with non biased macro insights. No noise, just the data you need to stay ahead of the curve.

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.