KuCoin
Log In
language_currency
Home
Blog
Market Insight
Details
img

North Korea Crypto Hack 2026: $577 Million Stolen in Drift Protocol and KelpDAO Attacks

2026/05/09 03:51:27
North Korea Crypto Hack 2026: $577 Million Stolen in Drift Protocol and KelpDAO Attacks

Introduction

North Korean hackers stole approximately USD 577 million from just two attacks in the first four months of 2026 — a figure that represents 76% of all cryptocurrency hack losses worldwide during that period. The Drift Protocol breach on April 1 and the KelpDAO bridge exploit on April 18 demonstrate that North Korea's elite hacking teams are not launching more attacks, but are instead executing fewer, far more precise operations against high-value targets. According to TRM Labs, these two incidents alone account for only 3% of total hack incidents in 2026 year-to-date, yet they dwarf every other breach combined.
 

How Did North Korea Steal $577 Million in Just Two Attacks?

North Korea's hacking groups achieved this staggering haul through surgical precision rather than volume. Two distinct North Korean threat actor groups — one linked to the TraderTraitor operation and another assessed as a separate subgroup — executed the Drift and KelpDAO attacks within eighteen days of each other. The combined $577 million theft brings North Korea's cumulative attributed crypto theft to over $6 billion since 2017, based on data from TRM Labs.
 
The concentration of value is unprecedented. In 2025, North Korea accounted for 64% of all crypto hack losses, driven largely by the record-breaking $1.46 billion Bybit breach. The 2026 figure of 76% through April marks the highest sustained share on record. What distinguishes the 2026 pattern is not frequency — the attack cadence remains low — but the sophistication of reconnaissance and the size of individual targets selected.
 
Year
North Korea's Share of Total Crypto Hack Losses
2020
7%
2021
8%
2022
22%
2023
37%
2024
39%
2025
64%
2026 YTD (April)
76%
 
The table above illustrates a clear acceleration. North Korea's share has grown nearly eleven-fold from its 2020-2021 baseline. TRM analysts note that this trend reflects a strategic shift toward infrastructure targets — bridge validators, multisig governance contracts, and cross-chain protocols — where a single vulnerability can produce nine-figure losses.
 
 

What Made the Drift Protocol Hack Possible?

The $285 million Drift Protocol hack on April 1 exploited a Solana-native feature called a durable nonce, combined with months of social engineering that may have included unprecedented in-person meetings between North Korean proxies and Drift employees. The attack required three weeks of on-chain staging and months of preparation, yet the actual fund drain took only approximately 12 minutes once initiated.
 

The Durable Nonce Exploit

A durable nonce is a Solana mechanism designed to extend transaction validity from roughly 90 seconds to an indefinite period. This feature exists for offline hardware signing scenarios where a transaction must be pre-signed and broadcast later. The attacker exploited this by inducing Drift's Security Council multisig signers to pre-authorize transactions that appeared routine at the time of signing.
 
Between March 23 and March 30, the attacker created durable nonce accounts and prepared the groundwork for execution. On March 27, Drift migrated its Security Council to a new 2-of-5 threshold configuration with zero timelock — a change that eliminated a critical safeguard. When the pre-signed transactions were broadcast on April 1, the conditions for a complete drain were already in place. The signers had approved transactions weeks earlier without knowing the context in which they would be used.
 

The Social Engineering Campaign

The Drift attack involved what TRM Labs describes as months of targeted social engineering, potentially including in-person meetings between North Korean operatives or their proxies and Drift team members. If confirmed, these face-to-face interactions would represent a new escalation in North Korea's crypto hacking methodology. The attackers also manufactured a fictitious asset called CarbonVote Token (CVT), seeded it with liquidity, and inflated its value through wash trading. Drift's oracles treated this fabricated collateral as legitimate, enabling the attacker to extract real assets including USDC and JLP tokens.
 
 

How Did the KelpDAO Bridge Exploit Work?

The $292 million KelpDAO breach on April 18 exploited a single-verifier design flaw in its rsETH LayerZero bridge on Ethereum. The attackers compromised two internal RPC nodes, launched a distributed denial-of-service attack against external nodes, and forced the bridge's verifier to fail over to the poisoned internal infrastructure. Those compromised nodes falsely reported that rsETH had been burned on the source chain when no such burn had occurred.
 

The Single Verifier Vulnerability

LayerZero's security model supports configuring multiple independent verifiers — known as Decentralized Verifier Networks — for cross-chain message validation. KelpDAO's rsETH deployment used only one verifier: the LayerZero Labs DVN. With no second verifier required to confirm the message, a single poisoned data source was sufficient to approve a fraudulent transaction at massive scale. The attacker drained approximately 116,500 rsETH worth roughly $292 million from the Ethereum bridge contract.
 

The $75 Million Freeze on Arbitrum

After the theft, the TraderTraitor hackers left approximately 30,766 ETH on Arbitrum — an L2 with higher centralization than Ethereum mainnet. The Arbitrum Security Council exercised emergency powers to freeze these funds, worth roughly $75 million. This freeze triggered a rapid laundering scramble for the remaining unfrozen portion. TRM Labs has attributed the KelpDAO exploit to North Korea based on on-chain analysis of both the pre-funding for the hack and the subsequent laundering patterns.
 
Notably, a portion of the initial funding for the exploit was traceable to a Bitcoin wallet controlled by Wu Huihui, a Chinese crypto broker indicted in 2023 for laundering Lazarus Group thefts. Other funds were sourced directly to the BTCTurk hack, another recent TraderTraitor theft. This funding trail confirms the direct North Korean attribution.
 
 

How Are the Stolen Funds Being Laundered?

Drift and KelpDAO demonstrate two distinct laundering strategies shaped by different operational conditions and threat actor groups. The approaches reveal how North Korean hackers adapt their cashout playbooks based on whether their stolen assets remain on centralized or decentralized infrastructure.
 

Drift's Dormant Ethereum Stash

The Drift stolen tokens were converted to USDC via Jupiter, bridged to Ethereum, and swapped into ETH — distributed across fresh wallets before going completely dormant. The stolen ETH has not moved since the day of the theft. The responsible group — assessed as distinct from TraderTraitor — follows a documented North Korean pattern of holding proceeds for months or years before executing a structured, multi-phase cashout. TRM anticipates a months-long or years-long liquidation of the Drift proceeds, suggesting this subgroup takes a more measured and cautious approach to laundering.
 

KelpDAO's THORChain Pivot

The KelpDAO laundering process unfolded according to the well-worn TraderTraitor playbook. After the Arbitrum freeze, approximately $175 million in unfrozen ETH was swapped to Bitcoin, mostly through THORChain — a cross-chain liquidity protocol with no KYC requirement. Umbra, an Ethereum privacy tool, was also used to obscure some wallet linkages before the conversion to Bitcoin. The ongoing laundering phase is handled almost entirely by Chinese intermediaries, not the North Korean operators themselves.
 
THORChain has become the consistent bridge of choice across North Korea's largest heists. In 2025, the vast majority of stolen Bybit funds were converted from ETH to BTC via THORChain between February 24 and March 2 — an unprecedented surge in cross-chain volume that the protocol processed without intervention. For North Korea, THORChain functions as a reliable, high-capacity exit ramp where assets enter as ETH and emerge as BTC with no operator willing to freeze or reject transfers.
 
 

Why Is North Korea's Share of Crypto Theft Accelerating?

North Korea's share of total crypto hack losses has accelerated from under 10% in 2020 and 2021 to 76% in 2026 through April. This trajectory reflects a strategic evolution in targeting, not an increase in attack frequency. North Korean hackers are incorporating increasingly sophisticated reconnaissance methods and may be leveraging AI tools to enhance their social engineering workflows.
 

Precision Targeting Over Volume

North Korea's premier hacking teams run a small number of precisely targeted operations each year rather than a sustained high-volume campaign. Two attacks in 2026 accounted for 76% of all hack value. The group is targeting more precisely, focusing on environments where a single vulnerability produces outsized outcomes — bridge validator networks, multisig governance contracts, and cross-chain protocols with weak verification mechanisms.
 

The Potential Role of AI in Reconnaissance

TRM analysts have begun to speculate that North Korean operators are incorporating AI tools into their reconnaissance and social engineering workflows. The Drift attack required weeks of targeted manipulation of complex blockchain mechanisms rather than the traditional emphasis on simple private key compromises. The precision of the social engineering — including the creation of a fictitious token with manufactured oracle legitimacy — suggests a level of technical preparation that may be augmented by automated intelligence gathering and synthetic identity creation.
 

What Should Crypto Exchanges and Users Watch For?

The 2026 attack pattern creates four immediate monitoring priorities for compliance teams, exchange operators, and individual users who want to avoid inadvertently interacting with stolen funds.
 

THORChain Flows from North Korean Addresses

Exchanges receiving BTC inflows from THORChain pools should screen against known KelpDAO and Lazarus Group address clusters. THORChain processed the vast majority of proceeds from both the Bybit breach in 2025 and the KelpDAO hack in 2026. Attribution for specific KelpDAO addresses is ongoing — retroactive re-screening in 30 days will capture addresses labeled after the initial response.
 

Solana Multisig and Governance Contract Exposure

The Drift attack targeted governance infrastructure, not application logic. Protocols using Solana Security Council multisig with durable nonce authorization should treat this as a template attack that will be replicated. Exchanges with Solana DeFi deposit exposure should flag inflows from bridge contracts used in the Drift dispersal, including specific Jupiter and Wormhole routes identified by blockchain investigators.
 

Multi-Hop Bridge Deposit Screening

Both KelpDAO and Bybit involved bridge or cross-chain infrastructure as either the attack surface or laundering route. Bridge-to-exchange flows are a priority monitoring channel for North Korean proceeds. First-hop address screening alone will not catch funds that passed through intermediary wallets before reaching an exchange. Multi-hop analysis across the full transaction chain is required to identify tainted deposits.
 

Real-Time Alert Networks

TRM's Beacon Network — whose 30+ members include both major exchanges and DeFi protocols — enables immediate cross-platform alerts when North Korea-linked funds reach participating institutions, before withdrawals clear. Individual screening catches known addresses, but real-time networks close the gap between attribution and action, converting a screening lag measured in days into an alert measured in minutes.
 

How to Protect Your Crypto Assets on KuCoin

The $577 million stolen in just two April 2026 attacks underscores why choosing a security-focused exchange matters more than ever. KuCoin implements multi-layer security architecture including micro-withdrawal wallets, dynamic multi-factor authentication, and industry-standard encryption to protect user assets against both external breaches and internal vulnerabilities. For traders holding assets across multiple chains, KuCoin's comprehensive token coverage and real-time risk monitoring systems provide an additional safeguard against interacting with tainted funds from major breaches like Drift and KelpDAO.
 
Users can further protect themselves by enabling all available security features — including withdrawal whitelist addresses, anti-phishing codes, and trading passwords — while maintaining awareness of bridge protocol risks. The North Korean hacking playbook increasingly targets cross-chain infrastructure rather than exchange hot wallets directly, making it essential to understand which protocols you interact with and whether they use single-verifier bridge designs or weak multisig configurations. Registering on KuCoin gives you access to a platform that actively monitors for stolen fund flows and maintains strict compliance standards to keep tainted assets off its books.
 

Conclusion

North Korea's $577 million haul from just two attacks in early 2026 represents a new peak in crypto theft concentration. The Drift Protocol and KelpDAO breaches demonstrate that North Korean hackers have evolved from simple private key compromises to sophisticated infrastructure attacks involving social engineering, bridge verifier manipulation, and months of pre-attack staging. Their share of total hack losses has risen from 7% in 2020 to 76% in 2026, driven not by more attacks but by deadlier ones.
 
The laundering divergence between the two heists — Drift's dormant Ethereum stash versus KelpDAO's active THORChain conversion — reveals adaptable operational playbooks tailored to each group's risk tolerance and cashout timeline. For the broader crypto ecosystem, the lesson is clear: bridge infrastructure, multisig governance, and cross-chain protocols are now the primary attack surface. Exchanges and users must implement multi-hop screening, real-time alert networks, and rigorous bridge protocol due diligence. As North Korea's cumulative crypto theft exceeds $6 billion, the industry can no longer treat these breaches as isolated incidents — they are a sustained, state-sponsored campaign against decentralized infrastructure itself.
 

FAQs

What is a durable nonce and how was it used in the Drift hack?
A durable nonce is a Solana feature that extends transaction validity from approximately 90 seconds to an indefinite period, designed for offline hardware signing. The Drift attacker induced Security Council signers to pre-authorize transactions using this mechanism weeks before the actual drain. When Drift migrated its multisig to a 2-of-5 configuration with zero timelock on March 27, the attacker broadcast the pre-signed transactions on April 1 and drained $285 million in roughly 12 minutes.
 
Why did the Arbitrum Security Council freeze $75 million of the KelpDAO stolen funds?
The TraderTraitor hackers left approximately 30,766 ETH on Arbitrum after the KelpDAO bridge exploit. Because Arbitrum operates with higher centralization than Ethereum mainnet, the Arbitrum Security Council exercised emergency powers to freeze these funds. This action prevented the hackers from moving that portion of the $292 million haul, though the remaining unfrozen funds were rapidly laundered through THORChain.
 
How does THORChain enable North Korean laundering?
THORChain is a decentralized cross-chain liquidity protocol that enables native asset swaps — such as ETH to BTC — without a custodian or KYC requirement. Unlike most cross-chain platforms, THORChain has refused to freeze or reject transactions from known illicit actors. North Korean hackers and their Chinese facilitators have repeatedly used THORChain to convert hundreds of millions in stolen ETH to Bitcoin, making it their consistent exit ramp of choice.
 
Are the Drift and KelpDAO attacks linked to the same North Korean group?
No. TRM Labs assesses the Drift attack as the work of a North Korean subgroup distinct from TraderTraitor, the group responsible for KelpDAO. The Drift group demonstrates a more patient laundering style, holding stolen ETH dormant for months or years. The KelpDAO attack follows the established TraderTraitor playbook with rapid laundering through Chinese intermediaries. Both are attributed to North Korean state-sponsored operations but represent different operational units.
 
What can individual users do to avoid interacting with stolen North Korean funds?
Users should avoid receiving deposits from THORChain outputs unless they can verify the source chain, enable all exchange security features including withdrawal whitelists, and research bridge protocols before using them — specifically checking whether they rely on single-verifier designs like KelpDAO's LayerZero deployment. Exchanges participating in real-time alert networks such as TRM's Beacon Network provide an additional layer of protection by flagging North Korea-linked addresses before withdrawals clear.