North Korea-linked hacking groups stole $577 million in the first four months of 2026, capturing 76% of all crypto hack losses in that period through just two operations, according to a TRM Labs report published this month. The figure marks a structural shift that has been building for years: the same metric stood at under 10% in 2020, rose to 64% in 2025, and has now hit its highest sustained share on record.

The two attacks driving that number are nearly identical in size and both bear the hallmarks of Lazarus Group tradecraft. On April 1, the Drift Protocol perpetual exchange on Solana was drained of approximately $285 million after what TRM Labs describes as three weeks of pre-attack staging and months of social engineering targeting protocol signers. The full drain took roughly 12 minutes. On April 18, $292 million in rsETH was pulled from the KelpDAO bridge built on LayerZero's cross-chain messaging protocol.

The KelpDAO incident is now the subject of a detailed post-mortem published May 20, 2026 by LayerZero Labs in partnership with Mandiant and CrowdStrike, with corroborating attribution from zeroShadow. According to that report, the attack began on March 6, when an attacker socially engineered a LayerZero Labs developer to harvest session keys, pivot into LayerZero's cloud environment, and poison internal RPC nodes. The attacker then ran a denial-of-service attack against an external RPC provider to force the LayerZero DVN signing service to rely exclusively on the two compromised internal nodes. Because KelpDAO's bridge was configured with a single-verifier design, one valid attestation was sufficient to unlock the funds. Mandiant, CrowdStrike, and independent researchers all attribute the operation to TraderTraitor, also known as UNC4899 — a DPRK threat actor.

What happened after the drain is as significant as the drain itself. The KelpDAO attacker moved stolen ETH through THORChain to convert it to Bitcoin, a laundering path that mirrors the 2025 Bybit breach. TRM Labs notes THORChain processed the majority of proceeds from both attacks, with no operator halting or rejecting transfers. That pattern came full circle in May 2026, when THORChain suspended all trading after blockchain researcher ZachXBT and security firm PeckShield identified a separate suspected exploit affecting Bitcoin, Ethereum, BNB Smart Chain, and Base networks, with losses estimated to exceed $10 million. The protocol had already been under scrutiny for its role in laundering North Korean proceeds; the new halt — prompted by the researchers' public identification of two suspected theft addresses — added a direct operational disruption on top of the reputational exposure.

Across the full first five months of 2026, total DeFi hack losses have surpassed $840 million per DefiLlama's hacks tracker, a figure that includes incidents beyond the two North Korean operations. The concentration is nonetheless striking: TRM Labs calculates that Drift and KelpDAO together represent 3% of 2026 incident count and 76% of stolen value.

The attack pattern reveals a consistent structural vulnerability. Both operations relied on bridge infrastructure and administrative key compromise — the same vectors that have defined the largest crypto hacks since 2022. The layered approach in the KelpDAO incident, combining social engineering, cloud infrastructure compromise, and a protocol-level design flaw, reflects what TRM analysts characterize as increasing sophistication in DPRK operations. Experts at CertiK and TRM Labs have noted that AI tooling is lowering the barrier for automated exploit discovery, particularly against unaudited legacy contracts — a concern that weighs on the long tail of DeFi protocols that launched during the 2021 boom and have never undergone formal security review.

LayerZero Labs has since changed its operating stance. The LayerZero DVN will no longer sign as the sole required attestor on any channel, regardless of how an application has configured its bridge. The affected cloud infrastructure was replaced rather than patched. Whether that response is sufficient depends on whether peer protocols treat the post-mortem as an architectural reference or a cautionary tale they can observe from a distance. North Korea's cumulative attributed crypto theft now exceeds $6 billion since 2017. The question for DeFi in 2026 is whether the threat model has finally caught up with that number.

Sources: TRM Labs (primary): trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks · LayerZero post-mortem (primary): layerzero.network/blog/layerzero-labs-kelpdao-incident-report · Drift Protocol exploit, Decrypt: decrypt.co/363087 · THORChain halt, Decrypt: decrypt.co/367943 · DefiLlama hacks tracker: defillama.com/hacks