North Korea-linked hackers steal $643M in crypto in H1 2026

1 hour ago 2



North Korean hackers walked away with $643 million in stolen crypto during the first six months of 2026. That’s 66% of all crypto lost to theft and exploits this year, a dominance so complete it makes every other hacking group look like amateurs by comparison.

The total haul across all crypto crime in H1 2026 came to $972 million across 207 incidents. North Korea’s Lazarus Group and its associated subgroups were responsible for the lion’s share, funneling proceeds toward the regime’s nuclear weapons program. Two attacks in April alone accounted for $577 million of the total.

Two attacks, twelve minutes, half a billion dollars

The biggest hits came in rapid succession last month. On April 1, the Drift Protocol lost roughly $285 million in what amounted to a masterclass in social engineering. Attackers compromised protocol signers and executed the entire theft in approximately 12 minutes.

Then on April 18, KelpDAO got hit for approximately $292 million through a LayerZero bridge exploit. That attack has been attributed to TraderTraitor, a known Lazarus subgroup that specializes in targeting cross-chain infrastructure. Between the two incidents, North Korean actors pocketed more than half a billion dollars in less than three weeks.

Fewer dollars, more attacks

The $972 million in total H1 2026 losses is less than half the $2.3 billion lost during the same period in 2025. The record number of incidents, 207 in just six months, tells a different story. Attackers aren’t slowing down. They’re just shifting strategy, opting for targeted infrastructure attacks on DeFi protocols and cross-chain bridges rather than spraying and praying across dozens of smaller targets.

The stolen funds largely remain unrecovered. North Korean operators have become adept at laundering proceeds through bridges, mixing services, and other obfuscation techniques that make tracing and freezing assets extraordinarily difficult once the initial theft window closes.

And $643 million only captures what came from direct hacks and exploits. It doesn’t include revenue generated through phishing schemes, fake job postings, and other social engineering campaigns that North Korean operatives run in parallel.

A $6 billion problem that keeps compounding

North Korean state-backed groups have now accumulated over $6 billion in crypto thefts since 2017, according to cumulative tracking data. The Lazarus Group’s evolution over the past nine years has seen what started as relatively crude exchange hacks mature into a sophisticated operation that deploys social engineering, custom malware, supply chain compromises, and deep knowledge of DeFi protocol architecture.

What this means for investors

The concentration of losses in DeFi protocols and bridge infrastructure should be a wake-up call for anyone parking significant capital in decentralized platforms. Two protocols lost nearly $600 million combined because their signer security and bridge architecture weren’t hardened against nation-state attackers.

Before committing funds to any DeFi protocol, investors should be asking pointed questions about multisig configurations, signer operational security practices, and whether the protocol has undergone recent security audits that specifically model state-sponsored threat scenarios.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Read Entire Article