North Korea accounts for 76% of crypto hacks

Crypto hacking is starting to look less like random cybercrime and more like a concentrated geopolitical threat. That is the real news here. TRM Labs said on April 30 that North Korea-linked groups accounted for 76% of all crypto hack losses in 2026 through April, and they got there with just two outsized attacks rather than a constant spray of smaller ones. That matters because it changes the problem from “how do we stop lots of thieves?” to “how do we defend against a handful of very capable state-backed teams?” (trmlabs.com) ### Why is 76% such a big deal? Because the share is wildly disproportionate to the number of incidents. TRM’s point is that North Korea-linked actors were tied to only about 3% of recorded hack incidents this year through April, but those incidents captured 76% of the stolen value. Basically, the story is not volume. It is concentration. A very small number of operations did most of the financial damage. (trmlabs.com) ### Which hacks drove the number? Two April exploits did almost all the work. The first was the April 1 breach of Drift Protocol, a Solana-based perpetuals exchange, which TRM and follow-up reporting pegged at about $285 million. The second was the April 18 exploit involving KelpDAO’s bridge, worth about $292 million. Together they totaled roughly $577 million. (trmlabs.com) ### Why do just two attacks matter so much? Because they show how modern crypto theft works at the top end. You do not need dozens of smash-and-grab exploits if you can spend months inside a target, learn the weak point, and hit one bridge or one verification flow at exactly the right moment. It is the difference between pickpocketing and robbing the vault. The count stays low, but the losses explode. (trmlabs.com) ### What is North Korea actually doing with crypto hacks? The broad idea is not new. North Korean cyber units have been tied to crypto theft for years because digital assets can be moved across borders, laundered through mixers or chains, and converted in ways that help the regime dodge sanctions pressure(trmlabs.com)tral this has become. (trmlabs.com) ### Why is DeFi so exposed? DeFi systems are open, composable, and often move fast. That is great for innovation, but it also means a bug in a bridge, signer setup, or validation flow can turn into a nine-figure loss very quickly. April 2026 appears to have been the most expensive month for crypto hacks so far this year, which is exactly what you would expect when a few high-value systems fail in sequence. (trmlabs.com) ### Is this about more hacks or better hackers? Better, or at least more effective, hackers. TRM’s own framing is that North Korea did not dominate because it launched a huge wave of attacks. It dominated because two attacks dwarfed everything else. That is a scarier signal. It suggests the ceiling on losses is rising even if the raw incident count does not. (trmlabs.com) ### What changes now? Expect more spending on wallet monitoring, bridge security, internal access controls, and sanctions screening. Expect more attention on social engineering too, because at least one of these cases appears to have involved a long intelligence operation rather than a simple code bug. The catch is that crypto teams often optimize for speed and growth first, but this kind of threat punishes exactly that habit. (finance.yahoo.com) ### Bottom line? The headline number sounds like a stat about hacking. It is really a stat about concentration. Two North Korea-linked attacks were enough to define crypto security in early 2026 — and that means the industry’s biggest risk is not background noise, but a few highly capable adversaries who only need one opening. (trmlabs.com)