North Korea-linked hackers have sharply expanded their share of the crypto crime market, with their portion of total cryptoasset hack losses rising from 7 percent in 2020 to 76 percent in 2026, according to figures cited in the screenshots from TRM Labs and reported by Cybernews.
North Korea’s Share of Crypto Losses Surges
The report says North Korea’s share of total cryptoasset industry hack losses has jumped almost 11 times from 2020 to 2026, while cumulative losses since 2017 have exceeded an estimated $6 billion (₹50,100 crore).
The increase has been particularly striking this year. Although only four months of 2026 have passed, North Korean actors are reported to have already “monopolized” the crypto crime market by carrying out two large hacks in April.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Cybernews reported that Drift Protocol lost around $285 million (₹2,380 crore) on April 1, while the Kelp DAO bridge exploit on April 18 caused around $292 million in losses.
Two April Hacks Drive 2026 Figures
Although North Korea-linked incidents represented only 3 percent of the incident count this year, the stolen value accounted for 76 percent of all losses, according to blockchain analysis firm TRM Labs. The same analysis said North Korean hackers reached a 64 percent share of such losses in 2025, largely due to the $1.46 billion (₹12,191 crore) Bybit exchange hack.
The chart shown in the report placed North Korea’s share of total crypto hack losses at 31 percent in 2017, 34 percent in 2018, 45 percent in 2019, 7 percent in 2020, 8 percent in 2021, 22 percent in 2022, 37 percent in 2023, 39 percent in 2024, 64 percent in 2025 and 76 percent in 2026 year to date.
TRM analysts attributed the KelpDAO exploit to North Korea based on on-chain analysis of pre-funding activity for the hack and the subsequent laundering of the stolen funds.
Analysts Point to More Precise Targeting
In the Drift case, analysts were still investigating which subgroup of North Korean hackers carried out the theft. The report said the attack appeared to have been conducted by a group distinct from TraderTraitor, which is described as taking a more measured and cautious approach to laundering its heists.
TRM found that the state-sponsored hackers are now targeting more precisely, focusing on high-value targets rather than carrying out more frequent attacks.
Analysts quoted in the report said North Korea’s premier hacking teams run a small number of precisely targeted operations each year rather than a sustained high-volume campaign. They suggested that the actors are now using AI tools for reconnaissance and social engineering workflows.
The analysis said this trend was consistent with the growing precision of attacks such as Drift, which required weeks of targeted manipulation of complex blockchain mechanisms. It also noted that in-person meetings, as reported in the Drift case, may be unprecedented for North Korean actors. April also saw multiple hacks in the decentralized finance industry, attributed in the report to increased use of AI tools.
