TRM Labs Report: "North Korea Behind 76% of 2026 Crypto Thefts... Cumulative Total Surpasses $6 Billion Since 2017"

On April 30, 2026, blockchain analysis firm TRM Labs released a report revealing that North Korean-linked hackers accounted for 76% of the total cryptocurrency theft volume in the first four months of 2026. Two large-scale exploits in April pushed North Korea's cumulative theft amount since 2017 past the $6 billion mark. This suggests that a sophisticated and aggressive state-level campaign is accelerating.

The damage incurred in the single month of April significantly exceeded the total losses of the first quarter, sending a major shock to the market. In particular, this report warns that North Korea has built an industrialized theft model that goes beyond a simple cybercrime organization. This level of activity overwhelms the actions of independent cybercriminals.

According to TRM Labs, North Korea is utilizing the stolen funds as a primary resource for nuclear weapons proliferation and sanctions evasion. These activities have emerged as a serious factor threatening the security of the global financial system. Despite international surveillance, North Korea's hacking tactics are becoming increasingly sophisticated.

Taking this situation as a turning point, the cryptocurrency industry is raising its voice for the need for fundamental changes in security systems. In particular, vigilance against the advanced tactics used by state-led hacking groups has reached its peak. Large-scale asset outflows are becoming a major cause of declining market trust.

The cryptocurrency market showed a relatively calm trend in early 2026, but the atmosphere changed abruptly in April. While total losses in the first quarter were around $165.5 million, the surge in April caused the cumulative theft amount for this year to soar to approximately $771 million. North Korea's share of this is recording a higher level than ever before.

North Korea has weaponized cryptocurrency theft as a revenue engine for proliferation, sanctions evasion, and destabilizing activities.

The rapid increase in damage in April was driven by two 'black swan' events. $285 million was drained from Drift Protocol, and a theft of $292 million occurred at KelpDAO. As a result, April 2026 was recorded as the worst month since the Bybit incident in February 2025, which saw $1.4 billion in damages.

Industrialized Hacking Tactics and the $6 Billion Milestone

The scale of North Korea's cryptocurrency thefts has expanded continuously since 2017. In 2025, $1.92 billion—more than half of the total $2.7 billion stolen—was confirmed to be the work of North Korean-linked organizations. This trend shows that North Korea's hacking capabilities have evolved beyond simple cybercrime into a state-led industrialized model.

• Using AI to help North Korean citizens pose as overseas IT workers to gain employment and steal internal information
• Sophisticated social engineering techniques spanning several months, as confirmed in the Drift and KelpDAO attacks
• Utilization of evolving 'Chinese laundromat' networks to launder stolen funds

In particular, North Korea is actively adopting artificial intelligence (AI) to help hackers disguise themselves as legitimate IT professionals working in the U.S. and other countries. They gain employment at cryptocurrency firms to access privileged information and then perform meticulous attacks based on that access. The large-scale thefts this April are also analyzed as the result of months of preliminary preparation.

The stolen funds are laundered through complex networks known as 'Chinese laundromats,' which serve as a key means of cleverly evading international surveillance. In the cryptocurrency hacking prediction market, 'YES' sentiment has maintained 100% following the April surge, reflecting concerns over additional attacks. For the sustainability of the decentralized finance ecosystem, a cooperation system against state-level cyber threats is urgently needed.