North Korea Crypto Hack Report 2026: Why Drift Protocol & KelpDAO Exploits Drove 76% of Losses

Key Takeaways:

• North Korean actors now favor high-impact surgical strikes on bridges and governance, driving 76% of all global crypto hack losses in early 2026. 
• Subgroups like TraderTraitor are merging social engineering with infrastructure sabotage, evidenced by the $577 million Drift and KelpDAO exploits.
• Countering these precision threats requires a shift from static blacklists to real-time KYT and analytics to detect staging and freeze exit points before funds disappear.

The digital asset industry has reached a chilling realization in 2026. State-sponsored cyber warfare has moved from persistent background noise to the primary driver of global crypto losses. 

Recent findings from TRM Labs cast a spotlight on a staggering trend. In the first four months of 2026 alone, North Korean hacking groups were responsible for 76% of all cryptocurrency hack losses globally. While the total number of incidents remain low, their precision and scale are unprecedented, with cumulative theft since 2017 now surpassing the $6 billion mark.

The New Playbook: Precision Over Frequency

For years, the narrative around North Korean hacks focused on volume. Today, the data reveals a tactical evolution. Rather than casting a wide net, elite groups are executing a handful of high impact, surgical operations. 

In April 2026, just two incidents—the Drift Protocol attack and the KelpDAO exploit—accounted for $577 million in losses. These two events represented only 3% of total hack incidents for the year but drove more than three-quarters of the total value lost. This shift signals a move toward high-complexity targets: cross-chain bridges and multisig governance systems.

The Drift Protocol Heist: A Masterclass in Social Engineering

The $285 million theft from Drift Protocol was a masterclass in corporate-level infiltration. 

The Infiltration: The Human Element 

For months, individuals posing as legitimate developers and institutional partners built relationships with the Drift team. These proxies were technically fluent and highly professional, allowing them to embed themselves into the protocol’s social fabric. By the time the technical attack began, the attackers already had the trust of the very people meant to guard the vault.

Phase 1: Creating the Phantom Asset (March 11) 

The digital staging officially began on March 11. At exactly 9:00 AM Pyongyang time, the attackers moved 10 ETH from Tornado Cash to fund their infrastructure. Their first move was to “birth” a fictitious asset called CarbonVote Token (CVT).

To an outsider, CVT looked like a growing project. The attackers seeded a few thousand dollars into liquidity pools on Raydium and used wash-trading bots to create a fake history of volume. They spent weeks manufacturing a “market price” of roughly $1.00. Drift’s price oracles—unprepared for a manipulated asset with zero actual utility—picked up this signal and began treating CVT as legitimate collateral.

Phase 2: The “Durable Nonce” Trap (March 23–30) 

The attackers focused on a Solana feature called durable nonces. Usually, a Solana transaction expires in about 90 seconds. A durable nonce allows a transaction to be pre-signed and held indefinitely to be broadcast later. Using their social standing, the attackers induced Drift’s Security Council members into pre-signing what appeared to be routine administrative transactions. In reality, these were “blank checks.” Because they were signed using durable nonces, the attackers held onto these authorizations like loaded springs.

Phase 3: The Fatal Configuration Change (March 27) 

On March 27, Drift made a strategic move that turned a risk into a catastrophe. The protocol migrated its Security Council to a new 2/5 threshold configuration and set the timelock to zero. In most DeFi protocols, a “timelock” acts as a cooling-off period, allowing the community to inspect and “stop” an action. By removing it, Drift eliminated the only window of time they had to catch a fraudulent transaction before it became final.

Phase 4: The 12-Minute Execution (April 1) 

On April 1, the attackers moved with terrifying speed:

1. The Deposit: They deposited hundreds of millions of “worthless” CVT tokens into Drift.
2. The Manipulation: Because oracles believed CVT was worth $1.00, the system saw a massive influx of collateral.
3. The Drain: Using the pre-authorized “blank checks” from March, they instantly raised withdrawal limits.

In just 12 minutes, they executed 31 pre-signed withdrawals, borrowing real assets like USDC and JLP against fake collateral. The funds were bridged to Ethereum before the Drift team could react.

The KelpDAO Exploit: Sabotaging the Bridge Infrastructure

While the Drift hack relied on social engineering, the $292 million KelpDAO exploit was a technical strike against the infrastructure of cross-chain plumbing.

The Vulnerability: The Single-Verifier Weakness 

KelpDAO utilized a LayerZero bridge for its rsETH token. To save on costs or complexity, the bridge was configured with a “single-verifier” design. This meant the entire system relied on one source of truth—the LayerZero Labs Decentralized Verifier Network (DVN)—to confirm that assets had been moved or burned. There was no second opinion.

The Setup: Poisoning the Well 

The attackers identified and compromised two of KelpDAO’s internal RPC nodes. RPC nodes are essentially the “ears” of a blockchain application. They tell the software what is happening on the network. Once inside, the hackers swapped the node software for a “poisoned” version. This version was programmed to lie, reporting that rsETH had been burned on the source chain even when no such transaction existed.

The Execution: The DDoS and the Failover (April 18) 

On April 18, the attackers launched a massive Distributed Denial of Service (DDoS) attack against the healthy, external RPC nodes that the bridge usually listened to. As the healthy nodes went dark, the bridge’s verifier followed its safety protocol: it “failed over” to the only nodes still responding—the compromised internal ones.

The poisoned nodes fed the verifier a false narrative. The verifier, seeing “proof” from its only available source, confirmed the fraudulent cross-chain message. This allowed the attackers to drain 116,500 rsETH from the Ethereum bridge contract.

The Scramble: A Messy Escape 

Unlike the calm Drift attackers, the KelpDAO group—identified as the TraderTraitor subgroup—made mistakes. They left $75 million in ETH on Arbitrum, a centralized Layer 2. This gave the Arbitrum Security Council enough time to exercise emergency powers and freeze the funds.

The freeze triggered a “mad scramble.” The hackers frantically moved the remaining $175 million through THORChain, swapping ETH for Bitcoin as fast as possible. This phase was handled largely by Chinese intermediaries, showing a fractured but efficient laundering network.

The Critical Role of KYT and Blockchain Analytics

These attacks represent a fundamental challenge to the integrity of the 2026 crypto ecosystem. Static blacklists are no longer sufficient when state actors can wait for months to move stolen assets. This is where Know Your Transaction (KYT) and advanced blockchain analytics become essential defense mechanisms.

• Real-Time Alerting: Alert networks enable immediate cross-platform alerts. When a North Korea-linked address is identified, institutions are notified in minutes, not days, potentially stopping a withdrawal before it clears.
• Multi-Hop Attribution: Simple “first-hop” screening is easily bypassed. Modern analytics track funds through dozens of intermediary wallets and across multiple bridges, identifying the “true” source of wealth.
• Monitoring Bridge Hygiene: As seen in the Drift attack, the vulnerability was in the governance and multisig configuration. Analytics tools now help firms monitor the health and behavior of the protocols they interact with, flagging suspicious pre-signed transactions or changes in timelock settings.

Secure Your Infrastructure with ChainUp KYT

The industry cannot rely on the permanence of blockchain security alone. As hackers become more patient and sophisticated, defensive tools must become more proactive.

ChainUp KYT provides the institutional-grade monitoring necessary to navigate the 2026 threat landscape. Our solution goes beyond basic blacklisting, offering:

• Real-Time Transaction Monitoring: Detect and flag suspicious flows the moment they hit the chain, allowing for immediate intervention before withdrawals clear.
• Advanced Multi-Hop Tracing: See past the “hops” and intermediary wallets to identify funds originating from North Korean clusters and bridge exploits.
• Protocol Governance Alerts: Monitor the health of the DeFi protocols and bridges you interact with, receiving alerts on risky configuration changes or unusual multisig activity.
• Seamless Compliance Integration: Built for exchange operators and institutional players who require sharp, clinical data to meet global regulatory standards.

Don’t wait for the next 12-minute drain to realize your defenses are outdated. Book a demo with ChainUp today to see how our KYT solutions can harden your infrastructure against the industry’s most sophisticated threats.