North Korea's Crypto Theft Surge: The 2026 Numbers

Crypto theft tied to North Korean state actors has become one of the most significant security stories in the industry, and 2026 pushed the numbers to new extremes. According to blockchain analytics firms, North Korea-linked groups accounted for roughly three-quarters of all crypto hack value in the early part of the year, and they did it with only two major attacks. This is not the work of opportunistic scammers; it is an industrial operation that funds a sanctioned state. Here is a factual look at what happened, how these groups work, and the practical steps that reduce your own risk.

Key takeaways

• North Korea-linked actors accounted for about 76% of all crypto hack value through early 2026, driven by just two large attacks.
• The two headline 2026 heists, against Drift Protocol and Kelp DAO, each drained close to $290 million.
• The umbrella term "Lazarus Group" covers several DPRK-linked clusters, including one US agencies track as TraderTraitor.
• Their cumulative all-time crypto theft was estimated at around $6.75 billion, with the 2025 Bybit hack alone at roughly $1.5 billion.
• The funds are widely assessed to support North Korea's weapons programs, which is why these are treated as national-security incidents.

What happened in 2026

Two attacks dominated the year's losses. In early April, an exploit of Drift Protocol used pre-signed transactions to execute dozens of withdrawals in roughly twelve minutes, draining assets worth around $285 million. Weeks later, Kelp DAO was exploited for roughly $290 million, with early analysis again pointing to a sophisticated state actor consistent with DPRK activity. Together these two events accounted for the large majority of all crypto hacked in the period, a remarkable concentration of damage in just two incidents.

Smaller incidents rounded out the picture. Earlier in the year, a service reported that purchase records were compromised in an intrusion blamed on the same cluster, and other exchanges reported losses attributed to DPRK-linked actors. The pattern is consistent: high-value targets, careful preparation, and rapid extraction.

Here are the major incidents and figures attributed to DPRK-linked groups:

Event	Approximate loss	Notes
Drift Protocol exploit (April 2026)	~$285 million	Pre-signed transactions drained in roughly 12 minutes
Kelp DAO exploit (2026)	~$290 million	Analysis pointed to a sophisticated state actor
Bybit hack (2025)	~$1.5 billion	Largest single DPRK-linked heist on record
Cumulative all-time theft	~$6.75 billion	Estimated across all DPRK-linked clusters
Share of 2026 hack value	~76%	Concentrated in just two early-year attacks

How these groups operate

The name "Lazarus Group" is a convenient label, but it covers multiple overlapping clusters with different specialties. Their methods are sophisticated and patient. They favor social engineering, including elaborate fake job offers and impersonation, to get malware onto the devices of developers and employees at crypto firms. They compromise the infrastructure and signing systems that control large pools of funds rather than hunting for a single clever code bug. And once they have access, they move fast and launder the proceeds through a well-developed network of mixers, bridges, and conversion services.

This is why these incidents matter beyond the dollar figures. The proceeds are widely assessed by international bodies to help fund North Korea's ballistic missile and nuclear programs, which puts crypto security squarely in the realm of national security and sanctions enforcement.

The anatomy of a state-grade heist

Understanding the lifecycle of one of these attacks is the best way to see why ordinary defenses fall short. The DPRK-linked playbook tends to run through the same phases:

• Reconnaissance. Operators study a target's employees, often on professional networks, and identify developers or operations staff with access to keys or signing infrastructure.
• Initial access. A tailored lure, a fake recruiter, a "coding challenge," a malicious npm or PyPI package, or a poisoned document, gets code running on a target's machine.
• Privilege escalation. Once inside, they hunt for the systems that actually authorize fund movement: multisig signers, hot-wallet keys, deployment pipelines.
• Extraction. When they control enough signing power, they drain funds fast, sometimes using pre-signed transactions so the withdrawal completes in minutes before anyone reacts.
• Laundering. Proceeds move through mixers, cross-chain bridges, and a rotating set of conversion services to obscure the trail before cash-out.

The speed of the extraction step is what makes these so damaging. By the time monitoring tools flag the anomaly, the funds are already hopping across chains. This is also why bridges are such a recurring weak point, a theme our explainer on why crypto bridge hacks keep happening covers in detail.

How to reduce your own risk

You are unlikely to be a direct target of a state actor, but the same techniques trickle down to ordinary scams, and good hygiene protects you from both.

1. Treat unsolicited job offers, investment pitches, and "urgent" technical requests as suspicious, especially when they ask you to download or run something.
2. Never run code, scripts, or "test files" from a stranger on a machine that holds wallet keys.
3. Use a hardware wallet for meaningful balances so that a compromised computer cannot sign transactions without physical confirmation.
4. Verify exactly what you are signing, since the most damaging attacks rely on you approving a transaction you did not understand.
5. Keep large holdings in cold storage and only keep working amounts in a hot wallet.

For deeper protection, our guide to doing self-custody right covers seed-phrase and multisig backups, and our explainer on wallet drainer scams shows how approval phishing, a close cousin of these techniques, steals funds from everyday users. Keeping the bulk of your holdings offline is the single biggest lever, which our cold wallet versus hot wallet guide lays out.

Why ordinary defenses are not enough at the top end

It is worth being clear-eyed about scale. The advice below genuinely protects individuals, but the firms these groups breach already had security teams, hardware signing, and monitoring, and they were still drained. The difference is that DPRK-linked operators invest weeks of human effort per target, build custom malware, and patiently compromise the people who hold signing authority rather than racing to find a code bug. That is why the entry point is so often a convincing message rather than an exploit. For an individual, the realistic threat is not a bespoke campaign aimed at you; it is the same social-engineering playbook, mass-produced into job-offer scams, fake "test these files" requests, and malicious packages. Defending against those is achievable with discipline, and the habits that stop them also happen to be the habits that would have helped the firms that got hit.

What to do tonight

If you hold any meaningful crypto, harden the basics before you close the laptop:

• Move long-term holdings into a hardware wallet so a compromised computer cannot sign without physical confirmation.
• Keep only working amounts in a hot wallet, and treat exchange balances as money in motion, not storage.
• Never run code, scripts, or "test files" from a stranger or a recruiter on a machine that holds wallet keys.
• Read every signing prompt and confirm exactly what a transaction does before approving it.
• Treat unsolicited job offers, investment pitches, and urgent technical requests as suspicious by default.

Frequently asked questions

What is the Lazarus Group?

It is an umbrella name for several North Korea-linked hacking clusters. They specialize in high-value crypto theft and are tracked under various names by security firms and government agencies.

How much did they steal in 2026?

Through early 2026, DPRK-linked actors accounted for roughly 76% of all crypto hack value, driven mainly by two attacks against Drift Protocol and Kelp DAO, each near $290 million.

How do these hackers get in?

They rely heavily on social engineering, such as fake job offers and impersonation, to compromise employees' devices and the signing systems that control large funds, rather than purely on code exploits.

Why does North Korea steal crypto?

International assessments link the stolen funds to North Korea's weapons development programs. That is why these thefts are treated as national-security and sanctions issues, not ordinary cybercrime.

Can an individual user be targeted?

Direct targeting of individuals by a state actor is rare, but the same social-engineering techniques drive widespread scams. Using hardware wallets, cold storage, and careful transaction signing protects against both.

This article is for general information and is not financial, legal, or tax advice.