North Korean Hackers Stole Over $6 Billion in Crypto Since 2017

North Korean hackers have stolen more than $6 billion in cryptocurrency since 2017, according to blockchain intelligence firm TRM Labs, with two attacks in April 2026 alone accounting for 76% of all crypto hack losses this year.

The cumulative figure, which TRM Labs describes as exceeding USD 6 billion across attributed incidents since 2017, marks a sharp escalation in state-backed cybercrime targeting the digital asset industry.

North Korean groups stole approximately $577 million in 2026 year-to-date through April, equal to 76% of all crypto hack losses during that period. The disproportionate share underscores how a single nation-state actor now dominates the global crypto threat landscape.

Two April Attacks Drove the 2026 Totals

TRM Labs identified two incidents in April 2026 behind the surge: a $285 million breach of Drift Protocol on April 1 and a $292 million exploit of KelpDAO on April 18. Together, these two DeFi attacks accounted for nearly all of North Korea's attributed theft this year.

The Drift Protocol and KelpDAO breaches follow a pattern of targeting decentralized finance protocols, where smart contract vulnerabilities and cross-chain bridge weaknesses have repeatedly proven exploitable. The scale of each individual attack, both approaching $300 million, reflects increasing operational sophistication.

TRM analysts have noted that the specific subgroup behind the Drift attack may be distinct from TraderTraitor, the North Korean unit identified in previous major incidents, though that attribution remains under investigation.

The Bybit Precedent and the FBI's Public Attribution

The 2026 thefts build on what was already a record-breaking period. In February 2025, the FBI attributed the approximately $1.5 billion Bybit theft to North Korea's TraderTraitor actors, making it the single largest known crypto hack at that time.

The FBI's public alert urged exchanges, cross-chain bridges, RPC node operators, analytics firms, DeFi services, and other virtual asset providers to block addresses associated with laundering flows from the Bybit incident. That alert represented one of the most explicit government calls for private-sector coordination against state-sponsored crypto theft.

Following the Bybit hack, industry coordination produced measurable results. Chainalysis reported that more than $40 million in stolen funds had already been frozen through collaborative efforts between exchanges and blockchain analytics firms. While that figure represents a small fraction of the total stolen, it demonstrated that rapid cross-platform response can limit laundering success, a dynamic also relevant to ongoing efforts around protocol-level risk management in DeFi.

How Stolen Funds Are Moved and Hidden

North Korean hackers have refined a multi-layered laundering process that makes recovery increasingly difficult once funds leave the initial target. The typical chain involves rapid conversion of stolen tokens into harder-to-trace assets, cross-chain swaps through decentralized protocols, and mixing services that obscure transaction trails.

Cross-chain bridges and decentralized exchanges play a central role. By swapping stolen assets across multiple blockchains, attackers fragment the trail across different ledgers, complicating the work of blockchain analytics firms attempting to trace flows. THORChain and similar cross-chain swap protocols have been identified in prior investigations as conduits used in DPRK-linked laundering operations.

The challenge for investigators is compounded by timing. Once stolen funds pass through several conversion layers within the first 24 to 48 hours, the probability of freezing or recovering them drops sharply. This reality has pushed the industry toward faster automated detection and preemptive address blacklisting.

Sanctions, Compliance Pressure, and the Regulatory Response

The U.S. government has escalated its response alongside the rising theft totals. On November 4, 2025, the Treasury Department's OFAC sanctioned bankers and entities involved in laundering DPRK cybercrime proceeds and IT-worker revenue. Treasury stated that North Korea-affiliated cybercriminals had stolen over $3 billion, primarily in cryptocurrency, over the prior three years.

"North Korean state-sponsored hackers steal and launder money to fund the regime's nuclear weapons program."

John K. Hurley, U.S. Treasury

The Treasury sanctions explicitly linked crypto theft proceeds to Pyongyang's weapons programs, framing the issue as a national security concern rather than a purely financial one. For exchanges and DeFi protocols, this creates direct compliance obligations: processing funds tied to sanctioned entities carries severe legal risk, a consideration that also affects how firms like large-scale Bitcoin mining operations and centralized platforms structure their compliance programs.

The regulatory pressure extends beyond the United States. As North Korean actors increasingly exploit cross-border DeFi infrastructure, jurisdictions across Asia and Europe have begun tightening their own virtual asset provider requirements, with KYC enforcement and travel rule compliance emerging as primary tools for disrupting laundering networks.

What This Means for Exchanges and Crypto Investors

The cumulative theft figure carries direct implications for how exchanges manage security and how retail investors assess counterparty risk. With state-backed actors responsible for the majority of large-scale crypto hacks, the threat model has shifted from opportunistic individual hackers to well-resourced, persistent teams.

For centralized exchanges, the pressure is on key management, withdrawal controls, and real-time transaction monitoring. The Bybit breach demonstrated that even major platforms with established security teams remain vulnerable. For DeFi protocols, smart contract auditing and upgrade mechanisms have become critical, particularly for protocols handling cross-chain operations.

Retail investors face indirect exposure. While individual wallets are rarely the primary target of state-sponsored operations, funds held on compromised platforms are at risk. The growing scale of these thefts, combined with ongoing concerns flagged by U.S. legislators around stablecoin oversight, reinforces the case for self-custody and due diligence on platform security practices.

The market context adds another layer. Bitcoin traded at $77,062 at the time of reporting, with the Fear & Greed Index sitting at 26, firmly in "Fear" territory. Persistent security incidents of this magnitude contribute to the cautious sentiment that has weighed on crypto markets throughout early 2026.

FAQ: North Korean Crypto Theft, Attribution, and Investor Risk

Who are the North Korean hackers targeting crypto?

The primary groups are state-sponsored units operating under various designations. The FBI has publicly identified TraderTraitor as the unit behind the Bybit hack. TRM Labs tracks multiple North Korean subgroups, some of which may operate independently of TraderTraitor. These groups are linked to Pyongyang's broader revenue generation strategy, with stolen crypto proceeds funding weapons programs.

Why is cryptocurrency a major target for North Korea?

Cryptocurrency offers characteristics that align with North Korea's needs: cross-border transfers without traditional banking intermediaries, pseudonymous transactions that complicate attribution, and a rapidly growing pool of assets held in platforms with varying security standards. International sanctions have cut North Korea off from conventional financial systems, making crypto theft one of the regime's most reliable revenue channels.

Can stolen cryptocurrency be traced or recovered?

Blockchain analytics firms like Chainalysis and TRM Labs can trace stolen funds across public ledgers, and industry coordination has produced partial recoveries. The $40 million frozen after the Bybit hack demonstrates that rapid response can limit losses. However, sophisticated laundering through mixing services, cross-chain swaps, and decentralized protocols means that the majority of stolen funds in large-scale state-sponsored attacks are not recovered.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.

The post North Korean Hackers Stole Over $6 Billion in Crypto Since 2017 was initially published on Coincu.