TRM Labs: North Korea-linked hackers drove 76% of early 2026 crypto thefts

North Korea-linked hackers have turned crypto theft into a full-time revenue engine, with TRM Labs saying they were behind roughly 76% of global crypto hack losses in the first four months of 2026.

• $577 million stolen in early 2026
• 76% of global crypto hack losses allegedly tied to North Korea-linked actors
• KelpDAO and Drift Protocol dominated April losses
• Sanctions evasion, laundering, and DeFi risk remain the ugly backdrop

TRM Labs, a blockchain intelligence and compliance firm that tracks illicit crypto flows, says North Korea-linked hackers allegedly stole about $577 million in crypto during the first four months of 2026. That represented roughly 76% of all global crypto hack losses over the same period.

That is not a random spike. It is the latest data point in a trend that has been grinding in the same direction for years. According to TRM Labs, North Korea’s share of global crypto theft has climbed from 22% in 2022 to 37% in 2023, 39% in 2024, 64% in 2025, and now 76% so far in 2026. Since 2017, the report says, illicit crypto profits linked to North Korea have exceeded $6 billion.

In other words: this is not a side hustle, and it is definitely not amateur hour. It looks increasingly like a sanctioned state has built a durable crypto crime machine, one that keeps finding weak spots in DeFi, infrastructure, and laundering routes. The ugly part is that it keeps working.

The biggest drivers of the early-2026 losses were two massive April exploits. The KelpDAO exploit reportedly drained about $292 million, while the Drift Protocol theft took roughly $285 million. Together, those two incidents accounted for nearly the entire reported total so far this year.

That concentration matters. A handful of giant exploits can do more damage to market confidence than dozens of smaller thefts. It also shows how much risk is sitting in protocol-level design, especially across DeFi and restaking systems. Restaking, for anyone new to the term, means locking up already-staked crypto again to help secure other systems in exchange for extra rewards. Useful? Sure. A juicy attack surface? Also yes.

TRM Labs said,

“North Korea-linked actors were responsible for roughly 76% of all global cryptocurrency hacking losses in the first four months of 2026.”

The firm also said,

“North Korea’s share of global crypto theft has climbed relentlessly over the past five years.”

That is a very polished way of saying the problem is getting worse, not better. And while a lot of crypto companies love to wrap themselves in innovation talk, the cold truth is that if your security is flimsy, hackers do not care about your roadmap or your tokenomics presentation deck.

The report’s numbers also shine a spotlight on DeFi protocol risk. DeFi, short for decentralized finance, lets users trade, lend, and borrow without traditional intermediaries. It is one of crypto’s most compelling ideas. It is also where smart contract bugs, admin key failures, rushed launches, and brittle integrations can turn into nine-figure disasters.

Cross-chain infrastructure is another weak point. That simply refers to the tools and systems that let assets move between different blockchains. Powerful stuff, but also a mess when built carelessly. The more chains, bridges, and dependencies a protocol has, the more places there are for something to go sideways. Sometimes the “composability” everyone brags about just means there are more pieces for an attacker to kick out of place.

And while not every exploit is caused by sloppy engineering, a lot of losses in crypto are still the result of projects moving too fast and treating security like a box to tick later. Some attacks are highly sophisticated and would test even well-run teams. Others are the result of avoidable mistakes. The lesson is the same either way: if you are holding real value, act like it.

These thefts do not just hurt the affected protocols. They can reduce liquidity, sour sentiment, and push the broader market into de-risking. That can hit everything from Ethereum-based DeFi to Bitcoin trading flows, even when BTC itself is not the direct target. When confidence cracks, people pull back, exchange risk premiums widen, and everyone suddenly remembers that “number go up” is not a security model.

The geopolitical angle is the part that makes this more than just another hack tally. North Korea-linked cyber operations are widely understood as a way to generate revenue and sidestep sanctions. Stolen crypto can be pushed through laundering pipelines, mixers, OTC desks, and other cash-out routes that help hide the trail.

For clarity: OTC desks are private trading venues used to move large sums outside public exchanges. Mixers are tools that obscure transaction histories by blending funds with other users’ coins. Both can serve legitimate privacy needs, but both also get abused by criminals trying to wash stolen assets into something usable. That puts more pressure on centralized exchanges, OTC desks, and privacy tools to spot suspicious flows without turning the entire system into a surveillance dragnet.

That tension is real. Privacy matters. Decentralization matters. A financial system that lets every move be watched, scored, and blocked by gatekeepers is not freedom; it is a compliance cage with better branding. But pretending criminals will not exploit open systems is fantasy. Bad actors use the same rails as everyone else, except they are more organized and far less bothered by morality.

The bigger takeaway is not just that North Korea-linked hackers are active. It is that sanctioned-state cybercrime has become one of the biggest tail risks in crypto. TRM Labs’ data suggests the sector is still way too exposed to sophisticated theft, especially in DeFi and connected infrastructure where one bug or compromise can drain absurd amounts of capital in minutes.

Key questions and takeaways

• What is TRM Labs saying?
  TRM Labs says North Korea-linked hackers were responsible for about 76% of global crypto hack losses in the first four months of 2026.

• How much crypto was stolen?
  Roughly $577 million was stolen in that period, according to the report.

• Which hacks caused most of the damage?
  The KelpDAO exploit, at about $292 million, and the Drift Protocol theft, at about $285 million.

• Why does this matter for DeFi?
  It shows that DeFi and restaking systems still carry serious structural risks, especially where smart contracts, keys, bridges, and integrations are involved.

• Why is North Korea involved?
  The report suggests these cyber operations help generate revenue and bypass sanctions by stealing and laundering crypto.

• Does this affect Bitcoin too?
  Yes, indirectly. Even if Bitcoin is not the main target, large crypto hacks can hurt sentiment, raise compliance pressure, and push the broader market into risk-off mode.

• What does this mean for exchanges and OTC desks?
  They are likely to face more scrutiny as authorities try to block stolen funds from being cashed out or disguised.

• What is the bigger lesson here?
  Crypto security is still too reactive. Until protocols harden up and operational discipline becomes standard, attackers with patience, tools, and a state sponsor will keep finding opportunities.

Crypto is still one of the most powerful tools for open finance, but that freedom comes with a brutal downside: if the code, controls, or infrastructure are weak, the losses can be spectacular. The builders who take security seriously will keep the ecosystem moving forward. The ones who don’t are basically rolling out a welcome mat for the next very expensive lesson.