Share this article
The long con: How North Korean spies spent months in-person to drain $285 million from Drift
The security intelligence research firm said North Korean-state-backed hackers account for 76% of all crypto scam and hack losses in 2026 and have stolen $6 billion since 2017.
Apr 30, 2026, 12:58 p.m. 2 min read
What to know:
- North Korean state-backed hackers, mainly the DPRK and Lazarus groups, are blamed for about 76% of global crypto hack losses in 2026, or nearly $600 million, bringing their total haul since 2017 to more than $6 billion.
- TRM Labs says these hackers are becoming more precise and faster, using tactics that now include months-long, in-person social engineering campaigns like the Drift Protocol exploit and sophisticated key compromises such as the Wasabi Protocol attack.
- The $292 million KelpDAO breach, attributed to Lazarus, not only exploited a known technical flaw but also triggered one of DeFi’s largest-ever wipeouts, erasing about $13 billion from lending platforms and leaving Aave with a major bad-debt crisis that industry players are now trying to backstop.
“North Korean proxies sitting across a table from protocol employees over a period of months. That is, to my knowledge, unprecedented in North Korea’s crypto hacking campaign,” Ari Redbord, Global Head of Policy and Government Affairs at TRMLabs, told CoinDesk. “This is no longer just a remote keyboard operation.”
Ari’s comments accompany TRMLabs’ new report released Thursday, which highlights how North Korea’s two main hacking groups, DPRK and Lazarus, are responsible for 76% of all the crypto losses to hacks and exploits in 2026.
“What we are watching is not a North Korean campaign that is broader — it is one that is sharper,” Redbord said in the report. “North Korea is moving faster and more precisely than ever.”
