North Korea’s Enormous Crypto Hacks Redefine Scale and Strategy
None
<p style="font-weight: 400;">A pair of tightly executed cyberattacks have become milestones in cryptocurrency theft in 2026 due to their sheer size. These two incidents, targeting Drift Protocol and KelpDAO, account for roughly three quarters of all recorded crypto losses through April, revealing a shift toward fewer, higher-dollar operations.</p><p style="font-weight: 400;">Based on a report from TRM Labs, security researchers attribute both attacks to North Korean state-backed actors, continuing a multi-year pattern. Since 2017, these groups have extracted more than $6 billion from the crypto ecosystem, with their totals climbing sharply from marginal levels earlier in the decade to a dominant position today.</p><h3 style="font-weight: 400;"><strong>Hundreds of Millions in Losses </strong></h3><p style="font-weight: 400;">The Drift Protocol breach, which resulted in approximately $285 million in losses, reflects a remarkable level of preparation. Investigators describe a prolonged campaign involving direct engagement with personnel, including in-person interactions over several months. This approach, combined with manipulation of transaction authorization mechanisms, allowed attackers to pre-stage withdrawals that were executed rapidly once conditions were prepared. The asset drain was completed in minutes.</p><p style="font-weight: 400;">In contrast, the $292 million exploit targeting KelpDAO relied on a structural weakness in cross-chain verification. By compromising internal infrastructure and manipulating data inputs, attackers were able to convince the system that assets had been legitimately transferred, enabling unauthorized withdrawals at a vast scale. The incident highlights the risks in designs that depend on a single validation source.</p><p style="font-weight: 400;">While the technical methods differed, both attacks highlight a strategic emphasis on identifying systemic vulnerabilities, whether in governance or bridge architectures, where a single point of failure can yield disproportionate returns.</p><p style="font-weight: 400;">Post-breach behavior further distinguishes the operations. Funds taken from Drift Protocol were quickly converted and redistributed but have since remained inactive, suggesting a delayed liquidation strategy. This measured approach has become a pattern, with stolen assets often held for extended periods before being gradually monetized.</p><p style="font-weight: 400;">The KelpDAO proceeds took a more immediate path. After an initial disruption that froze a portion of the funds, the remaining assets were rapidly moved across chains and converted into Bitcoin, primarily through decentralized liquidity protocols. This is a more reactive laundering model, one designed to adapt quickly when obstacles arise.</p><h3 style="font-weight: 400;"><strong>Lack of Centralized Oversight</strong></h3><p style="font-weight: 400;">A consistent element across both cases is the use of cross-chain infrastructure that operates without centralized oversight. These platforms have become critical conduits for moving large volumes of illicit funds, particularly when other channels impose restrictions or compliance checks. This becomes a structural challenge for law enforcement, as decentralized systems limit the ability to intervene once transactions are initiated.</p><p style="font-weight: 400;">The concentration of losses in a small number of events also reveals a shift in attack strategy. Rather than increasing activity, threat actors appear to be refining target selection and execution. This change may be supported by more advanced reconnaissance techniques that use automated tools to map vulnerabilities and discover the best timing.</p><p style="font-weight: 400;">This year’s high-dollar losses in the crypto sector demonstrate that security models that rely on assumptions of distributed trust or limited exposure are being tested by hackers willing to invest time and resources into breaching them. The Drift and KelpDAO incidents suggest that defenses must account not only for technical exploits but also for coordinated, multi-phase campaigns that blend social engineering with protocol-level manipulation.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/05/north-koreas-enormous-crypto-hacks-redefine-scale-and-strategy/" data-a2a-title="North Korea’s Enormous Crypto Hacks Redefine Scale and Strategy"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnorth-koreas-enormous-crypto-hacks-redefine-scale-and-strategy%2F&linkname=North%20Korea%E2%80%99s%20Enormous%20Crypto%20Hacks%20Redefine%20Scale%20and%20Strategy" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnorth-koreas-enormous-crypto-hacks-redefine-scale-and-strategy%2F&linkname=North%20Korea%E2%80%99s%20Enormous%20Crypto%20Hacks%20Redefine%20Scale%20and%20Strategy" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnorth-koreas-enormous-crypto-hacks-redefine-scale-and-strategy%2F&linkname=North%20Korea%E2%80%99s%20Enormous%20Crypto%20Hacks%20Redefine%20Scale%20and%20Strategy" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnorth-koreas-enormous-crypto-hacks-redefine-scale-and-strategy%2F&linkname=North%20Korea%E2%80%99s%20Enormous%20Crypto%20Hacks%20Redefine%20Scale%20and%20Strategy" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F05%2Fnorth-koreas-enormous-crypto-hacks-redefine-scale-and-strategy%2F&linkname=North%20Korea%E2%80%99s%20Enormous%20Crypto%20Hacks%20Redefine%20Scale%20and%20Strategy" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>