Politeness and patience were more effective than any software.
North Korean hackers have again shown how several targeted attacks can redraw the statistics of crypto crime for a year. According to TRM Labs, from January to April 2026, groups associated with the DPRK accounted for 76% of all losses from hacks in the crypto industry, although we are talking about only two major incidents.
The authors of the report estimate the damage from the attacks on the Drift Protocol and KeplDAO at about $ 577 million. Hacking the Drift Protocol on April 1 brought the attackers $ 285 million, and the attack on the KelpDAO bridge on April 18 - another $ 292 million. Together, two incidents accounted for only a small fraction of the total number of attacks in 2026, but gave North Korea a major share of the stolen funds.
TRM Labs writes that the share of the DPRK in crypto stolen goods has been growing for several years in a row. In 2020 and 2021, the figure was below 10%, in 2022 it grew to 22%, in 2023 to 37%, in 2024 to 39%, and in 2025 it reached 64%. The growth was also affected by the Breakthrough in February 2025, when $1.46 billion was withdrawn from the cold wallet. TRM Labs calls the incident the largest crypto theft in history.
The attack on the Drift Protocol was a long preparation. According to TRM Labs, the attackers began onucha training on March 11, and even earlier for several months, conducted social engineering against the employees of the project. The report says that North Korean mediators even met with representatives of Drift personally.
The attackers then used the Solana durable nonce mechanism, which allows you to sign transactions in advance and send them later. On April 1, pre-prepared operations helped withdraw funds in about 12 minutes. After a quick exchange and transfer of assets to Ethereum, the stolen cryptocurrency has not yet moved.
In the case of KelpDAO, the attackers hit the rsETH LayerZero bridge. They compromised the two internal RPCs of the nodes, forced the external nodes to work with disruptions through the DDoS attack and obtained false confirmation of the inter-network message.
The key weakness of TRM Labs calls the scheme with one operative, which did not require independent confirmation. After the attack, part of the funds worth about $ 75 million froze the Arbitrum Security Council, but about $ 175 million in ETH, the attackers managed to transfer to Bitcoin, mainly through THORChain.
TRM Labs links KelpDAO with the TraderTrator group and points out that part of the means to prepare the attack can be traced back to the Bitcoin wallet of Hua Huihui, a Chinese cryptobroker accused of Lazarus laundering in 2023. The company believes that the total volume of cryptocurrency stolen by groups of the DPRK since 2017, has already exceeded $ 6 billion.
TRM Labs warns exchanges and DeFi projects about the risks associated with THORChain, bridges and multi-subscription Solana wallets. The company advises to check April revenues, especially Bitcoin after exchanges via THORChain and funds that have passed through addresses related to the Drift and KelpDAO crypto images.
North Korean hackers have again shown how several targeted attacks can redraw the statistics of crypto crime for a year. According to TRM Labs, from January to April 2026, groups associated with the DPRK accounted for 76% of all losses from hacks in the crypto industry, although we are talking about only two major incidents.
The authors of the report estimate the damage from the attacks on the Drift Protocol and KeplDAO at about $ 577 million. Hacking the Drift Protocol on April 1 brought the attackers $ 285 million, and the attack on the KelpDAO bridge on April 18 - another $ 292 million. Together, two incidents accounted for only a small fraction of the total number of attacks in 2026, but gave North Korea a major share of the stolen funds.
TRM Labs writes that the share of the DPRK in crypto stolen goods has been growing for several years in a row. In 2020 and 2021, the figure was below 10%, in 2022 it grew to 22%, in 2023 to 37%, in 2024 to 39%, and in 2025 it reached 64%. The growth was also affected by the Breakthrough in February 2025, when $1.46 billion was withdrawn from the cold wallet. TRM Labs calls the incident the largest crypto theft in history.
The attack on the Drift Protocol was a long preparation. According to TRM Labs, the attackers began onucha training on March 11, and even earlier for several months, conducted social engineering against the employees of the project. The report says that North Korean mediators even met with representatives of Drift personally.
The attackers then used the Solana durable nonce mechanism, which allows you to sign transactions in advance and send them later. On April 1, pre-prepared operations helped withdraw funds in about 12 minutes. After a quick exchange and transfer of assets to Ethereum, the stolen cryptocurrency has not yet moved.
In the case of KelpDAO, the attackers hit the rsETH LayerZero bridge. They compromised the two internal RPCs of the nodes, forced the external nodes to work with disruptions through the DDoS attack and obtained false confirmation of the inter-network message.
The key weakness of TRM Labs calls the scheme with one operative, which did not require independent confirmation. After the attack, part of the funds worth about $ 75 million froze the Arbitrum Security Council, but about $ 175 million in ETH, the attackers managed to transfer to Bitcoin, mainly through THORChain.
TRM Labs links KelpDAO with the TraderTrator group and points out that part of the means to prepare the attack can be traced back to the Bitcoin wallet of Hua Huihui, a Chinese cryptobroker accused of Lazarus laundering in 2023. The company believes that the total volume of cryptocurrency stolen by groups of the DPRK since 2017, has already exceeded $ 6 billion.
TRM Labs warns exchanges and DeFi projects about the risks associated with THORChain, bridges and multi-subscription Solana wallets. The company advises to check April revenues, especially Bitcoin after exchanges via THORChain and funds that have passed through addresses related to the Drift and KelpDAO crypto images.
