All told, TRM Labs estimates that North Korean-linked hackers have swiped over $6 billion from crypto protocols and projects since 2017, including some of the industry’s worst-ever heists.
The figures reflect an accelerating concentration of cryptocurrency theft by state-linked North Korean operatives. Pyongyang's share of total crypto hack losses has grown from under 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The 2026 figure of 76% through April is the highest sustained share on record.
The Kelp DAO attack took a different route. The attackers compromised two internal RPC nodes and then launched a denial-of-service attack against external nodes, forcing the bridge's single verifier to rely on the poisoned data sources. Those nodes falsely reported that the underlying asset had been burned on the source chain when no such action had occurred, and approximately 116,500 rsETH—worth roughly $292 million—was drained from the Ethereum bridge contract.
TRM analysts noted that the group appears to be sharpening its tools: Analysts have begun to speculate that North Korean operators are incorporating AI tools into their reconnaissance and social engineering workflows, a development consistent with the increasing precision of attacks like Drift, which required weeks of targeted manipulation of complex blockchain mechanisms.
