USD
DPRK Pushes Back as TRM Labs Flags $577M in 2026 Hack Losses
TL;DR
- North Korea denied allegations it sponsors crypto theft, calling them politically motivated.
- TRM Labs linked DPRK actors to $577 million in losses, or 76% of 2026 hack totals.
- Two April attacks, KelpDAO and Drift Protocol, accounted for most of the losses.
We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!
Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.
North Korea has denied allegations that it sponsors cryptocurrency theft after TRM Labs linked DPRK-associated actors to $577 million in stolen crypto during the first four months of 2026, representing 76% of global hack losses recorded in that period.
A spokesperson for North Korea’s Foreign Ministry called the accusations “absurd slander” and described them as a “political tool” used to support a U.S. “hostile policy” toward the DPRK. KCNA reported the statement on Sunday, marking one of the most direct public responses from Pyongyang to crypto-related allegations this year.
The spokesperson accused U.S. “government organs, reptile media organs and plot-breeding organizations” of spreading the claims and said the narrative was politically driven. The spokesperson also questioned the U.S. position, stating it was unreasonable for a country with the “world’s best cyber technical power” to portray itself as the “world’s greatest victim” while blaming North Korea for cyber-related fraud.
North Korea described the accusations as “an extension of the U.S. hostile policy toward the DPRK” and said it would “never tolerate” confrontation attempts. The spokesperson added that the country would take “all necessary measures” to defend its state interests.
TRM Labs Links DPRK Actors to Majority of 2026 Crypto Hack Losses
TRM Labs said North Korea-linked actors were responsible for approximately $577 million in crypto theft between January and April 2026. The firm said this amount accounted for 76% of all cryptocurrency hack losses during that period, showing a sharp increase in DPRK-linked activity compared to earlier years.
The firm said North Korea’s share of global crypto hack losses rose to 64% in 2025, after remaining below 10% in both 2020 and 2021. TRM Labs also said cumulative crypto theft attributed to North Korea has exceeded $6 billion since 2017.
Two major incidents in April drove most of the 2026 losses cited by TRM Labs. The KelpDAO exploit resulted in $292 million in losses, while the Drift Protocol attack caused $285 million in losses. Together, those two incidents accounted for only 3% of total hack incidents by count through April but made up the majority of value attributed to DPRK-linked actors.
TRM Labs attributed the KelpDAO breach to TraderTraitor, described as a Lazarus-affiliated operation. The firm said the Drift Protocol attack involved a separate North Korean subgroup, though attribution for that actor remained under review.
Attack Methods and Fund Movements Detailed
TRM Labs said the Drift Protocol attack involved months of social engineering, including in-person meetings between North Korean proxies and Drift employees. The firm said preparation activity began on March 11 with an on-chain withdrawal from Tornado Cash.
The attacker allegedly exploited a Solana feature known as a durable nonce to pre-sign transactions before executing 31 withdrawals in roughly 12 minutes on April 1.
The KelpDAO exploit was linked to a single-verifier design flaw in a LayerZero bridge. After Arbitrum froze roughly $75 million of the stolen funds tied to the exploit, the attackers allegedly moved remaining assets through THORChain and converted stolen ETH into Bitcoin.
Enforcement Actions and Broader Attribution History
Authorities have linked stolen digital assets to North Korea’s military infrastructure. A recent UN report said such assets serve as a key revenue source for Pyongyang’s nuclear and ballistic missile programs.
The U.S. Treasury’s Office of Foreign Assets Control sanctioned six individuals and two entities on March 13 in connection with DPRK IT worker schemes that allegedly generated nearly $800 million in 2024. The schemes included facilitators who enabled cryptocurrency transactions and converted funds into digital assets.
The FBI said in a February 2025 public service announcement that North Korea’s TraderTraitor was responsible for Bybit’s $1.5 billion hack earlier that month. North Korea’s Lazarus Group has also been attributed to the $615 million Ronin Network hack, while DPRK actors were linked to hundreds of millions of dollars in crypto losses in 2023 involving projects including Stake and Harmony’s Horizon Bridge.
A separate legal development tied to the KelpDAO incident emerged when plaintiffs holding nearly $877 million in unpaid U.S. court judgments against North Korea filed a restraining notice on April 30. The filing sought to block Arbitrum DAO from moving approximately $71 million in frozen ETH linked to the exploit.
FAQ
What did North Korea deny?
North Korea denied sponsoring crypto theft and cyber-related fraud.
Who reported the $577 million theft?
TRM Labs attributed the losses to DPRK-linked actors.
Which incidents drove the 2026 losses?
The KelpDAO exploit and Drift Protocol attack accounted for most losses.
What remains unresolved?
Attribution for the Drift Protocol-linked subgroup remains under review.
This article has been refined and enhanced by ChatGPT.
