North Korea Responsible for 76% of 2026 Crypto Hack Losses Through April
30 Apr 2026 · 21:56 UTC · NewsBTC RSS Feed · Original source
Read original at NewsBTC RSS Feed →
Summary
According to a TRM Labs crypto crime report, North Korean hacking groups were responsible for 76% of all cryptocurrency losses from hacks in 2026 through April, the highest sustained share on record. This massive proportion resulted from just two major incidents: the Drift Protocol hack on April 1 yielding $285 million, and the KelpDAO bridge exploit on April 18 yielding $292 million, totaling approximately $577 million combined. Despite representing only about 3% of total crypto incidents during the period, these two attacks accounted for the vast majority of stolen value.
North Korea's share of crypto hack losses has grown significantly over time, rising from under 10% in 2020-2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025, demonstrating an accelerating pattern. The strategy reflects relatively infrequent attacks but with extremely outsized payouts—a pattern sustained across most years since 2017.
The Drift Protocol hack involved three weeks of pre-attack staging followed by months of social engineering to compromise protocol signers, with the actual fund drain executed in approximately 12 minutes. The KelpDAO breach exploited a flaw in a LayerZero bridge's single-verifier design. Attackers subsequently laundered proceeds through THORChain after more than $75 million was frozen on the Arbitrum blockchain.
DeFiLlama data confirms April 2026 as the most-hacked month in crypto history by total incident count, underscoring elevated security vulnerabilities across the ecosystem.
Why it matters
The mechanisms driving impact operate through multiple channels: (1) North Korea's demonstrated sophistication—three weeks of staging plus months of social engineering for Drift, plus bridge design exploitation for KelpDAO—undermines confidence in DeFi assumptions; (2) The accelerating trend (64%→76% YoY) signals both escalating threat capability and expanded market vulnerability; (3) Altcoins face disproportionate pressure due to concentration risk in affected segments, while Bitcoin's macro-driven nature limits immediate correlation. Timing considerations: The specific incidents occurred April 1-18, but the TRM Labs report released April 30 likely triggers re-evaluation of existing risk models even if partial pricing-in occurred earlier. Key assumptions: market participants were not fully aware of cumulative implications before the 76% figure; institutional investors actively reassess DeFi exposure; regulatory scrutiny increases. Bitcoin benefit-to-loss ratio remains low because security concerns don't drive macro risk-off to the degree that Fed policy or systemic banking concerns would. Uncertainties center on (1) degree of pre-market awareness before April 30 report, (2) regulatory response timing and severity, (3) whether broader macro factors override this catalyst, (4) institutional vs. retail response divergence. Confidence decreases substantially beyond weekly horizons as competing catalysts dominate and shock effects normalize.
Expected impact
The revelation that North Korean hacking groups stole $577 million in just two April incidents (Drift Protocol and KelpDAO exploits) triggers significant market repricing of security risk. The report's core finding—that North Korea accounted for 76% of all 2026 crypto hack losses through April, the highest sustained share on record, up from 64% in 2025—escalates systemic risk perception. Risk sentiment deteriorates sharply, with altcoins in DeFi and bridge-based ecosystems experiencing disproportionate selling pressure due to direct exposure to vulnerable protocol architectures. Bitcoin exhibits more muted reactions as the incidents are protocol-specific rather than macro-systemic, allowing some safe-haven bid to offset bearish sentiment. The scale of losses ($285M and $292M from just two sophisticated attacks) undermines confidence in DeFi security models and triggering reassessment of custodial and protocol risk exposure. Volatility concentrates in affected segments—bridges, DeFi protocols with similar architectures—while broader market volatility increases moderately. Over daily-weekly horizons, impact peaks as initial shock reverberates, then gradually fades monthly as market attention shifts to other catalysts. However, security concerns create persistent headwind for smaller and newer protocols, with capital potentially rotating toward better-secured alternatives.