North Korea-linked hackers stole $577 million of the $651 million lost to crypto hacks in the first four months of 2026, according to TRM Labs data published in May 2026. That total covered 76% of all hack-related losses in the sector. Two operations drove most of the damage. Both were tied to TraderTraitor, a subgroup of the Lazarus Group.
Drift Protocol lost $285 million on Solana on April 1. Elliptic and TRM Labs both tied the attack to TraderTraitor. The attackers created developer accounts on Solana on March 23, three weeks before the theft.
They also ran wash trading to make the CarbonVote Token look real. Then they waited. On April 1, they drained the vaults in 12 minutes.
Kelp DAO lost $292 million on April 18. The attack used a different path. This time, the compromise came through a LayerZero bridge rather than Solana-side social engineering. Both attacks came in the same month, yet they used different protocols and different entry points.
The pattern went beyond code exploitation. Chainalysis, TRM Labs, and FBI researchers described TraderTraitor as a North Korean operation that works like a company. It recruits developers with fake job offers and places them inside crypto firms as contractors.
Cisco Talos documented related GhostHire campaigns. Those operations use fake roles to get workers inside firms for months. Later, the intruders use that access to reach private keys, change settings, or empty wallets.
Cisco Talos also documented GhostCall campaigns. Those use cloned voices and deepfakes during hiring calls. The goal is to improve infiltration before any theft begins.
The Drift case shows the method clearly. After the theft, attackers moved $232 million from Solana to Ethereum through Circle CCTP in six hours. Circle did not step in. The stolen tokens first became USDC through Jupiter, then moved to Ethereum, then into ETH, and then into fresh wallets.
The Kelp DAO case also followed a structured path. The hackers left about 30,766 ETH on Arbitrum. The Arbitrum Security Council froze those funds using emergency powers. The frozen ETH was worth roughly $75 million.
That move triggered a fast laundering response. Around $175 million in ETH was swapped to Bitcoin, mostly through THORChain. Umbra also helped hide wallet links before some conversions to Bitcoin.
Read More: North Korea-Linked Crypto Theft Hits $2B After 51% Surge in 2026
TRM Labs had not attributed the May 15 THORChain exploit to North Korea at the time of the report. Still, if TraderTraitor later linked to it, DPRK losses in 2026 would rise to $588 million before mid-year. OFAC had already sanctioned dozens of North Korean facilitators in 2026, including a March round.
The report also said Chainalysis estimates that roughly 99% of bridges and cross-chain protocols lack transaction screening. Under MiCA, European regulators have tools to require such screening for licensed CASPs in the EU. The THORChain community was set to vote on remediation on May 22-23.
North Korea-linked TraderTraitor operations drove most crypto hack losses in early 2026, with Drift Protocol and Kelp DAO losing $577 million in two separate attacks. The cases show how advanced, long-planned infiltration and laundering tactics now shape major crypto security threats. Stronger screening and faster response remain urgent.