April’s Crypto Carnage: North Korea Hit Twice And Snagged 76% Of 2026 Hack Value
A brand new crypto crime report by TRM Labs paints a stark image of how North Korean hacking teams have been working in 2026 to this point. Through April, they had been accountable for 76% of all losses tied to crypto hacks, however the report emphasizes that this consequence wasn’t pushed by a gradual stream of assaults.
Instead, the large share of stolen worth comes down to only two incidents whose mixed haul—about $577 million—far outweighed all the pieces else that yr.
Two Crypto Hacks, Nearly $600M Stolen
The first breach highlighted by TRM Labs befell on April 1: the Drift Protocol hack. The report places the worth stolen at $285 million. The second incident adopted on April 18, when the KelpDAO bridge exploit reportedly resulted in $292 million in losses.
What’s putting is that these two occasions account for under about 3% of the entire variety of crypto incidents in 2026 throughout that interval.
Yet collectively, they signify 76% of the stolen worth, underlining a sample the report says has outlined North Korea’s strategy throughout most years since 2017—comparatively few assaults, however extraordinarily outsized payouts.
The report additionally charts how North Korea’s share of crypto hack losses has grown over time. It notes that the determine was below 10% in 2020 and 2021, then rose to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025.
The 76% determine by means of April 2026 is described as the best sustained share on document, suggesting that the sample seen lately is not only persevering with, however accelerating.
April Sets New Record Of Incidents
TRM Labs particulars how the Drift Protocol hack was carried out, specializing in the time and preparation that preceded the precise drain. The crypto hack concerned about three weeks of pre-attack staging.
It additionally included months of social engineering meant to compromise protocol signers. Once the attackers had been in place, the complete drain reportedly befell in roughly 12 minutes, exhibiting how planning can flip into fast theft for the time being of execution.
The KelpDAO hack, dated April 18, adopted a really totally different technical path. According to TRM Labs’ crypto crime report, the exploit centered on a flaw in a single-verifier design utilized in a LayerZero bridge.
After the breach, the attackers moved rapidly into laundering: they routed proceeds by means of THORChain after greater than $75 million was frozen on the Arbitrum blockchain (ARB).
The findings align with one other data level from the broader crypto ecosystem. DeFiLlama, which tracks exercise and incidents in decentralized finance (DeFi), flagged April because the most-hacked month in crypto historical past by variety of incidents.
Featured picture created with OpenArt, chart from TradingView.com
