
North Korea's Lazarus Group stole $643M in H1 2026, 66% of all crypto theft. Two April attacks netted $577M from Drift Protocol and KelpDAO. DeFi protocols remain prime targets for state-backed hackers.
North Korea-linked hackers stole $643 million in crypto during the first six months of 2026, according to blockchain security firms. That figure represents 66% of all crypto lost to theft and exploits in the period, which came to $972 million across 207 incidents.
Two attacks in April drove the bulk of the losses. On April 1, attackers compromised signers at Drift Protocol and executed a roughly $285 million theft in about 12 minutes. Security firms attributed the breach to a social engineering campaign by the Lazarus Group. Seventeen days later, on April 18, KelpDAO lost roughly $292 million through a LayerZero bridge exploit. Researchers tied that attack to TraderTraitor, a Lazarus subgroup that targets cross-chain infrastructure. The two incidents together accounted for $577 million.
Total H1 2026 losses were less than half the $2.3 billion stolen in the same period a year earlier. The number of incidents, 207, is a record for a half-year. Attackers have shifted from scattering attempts across many small targets to focusing on high-value protocol infrastructure – DeFi platforms and cross-chain bridges – where one successful hit can net hundreds of millions.
Recovery rates remain low. North Korean operators move stolen funds through bridges, mixing services and other laundering methods that complicate tracing once the initial theft window closes, security analysts said. The $643 million figure covers only direct hacks and exploits, not revenue from parallel phishing schemes or fake job postings that North Korean operatives also run.
Cumulative North Korean crypto thefts since 2017 now exceed $6 billion, according to researchers who track the groups. The Lazarus Group's methods have evolved from relatively crude exchange hacks to operations that combine social engineering, custom malware and supply chain compromises with deep knowledge of DeFi protocol architecture.
The concentration of losses in DeFi and bridge infrastructure points to a specific risk for anyone holding capital on decentralized platforms. Two protocols lost nearly $600 million because their signer security and bridge architecture were not hardened against nation-state attackers. Before committing funds, investors need to examine multisig configurations and signer operational security and ask whether the protocol has undergone security audits that model state-sponsored threats, security researchers said. The next attack could target a similar setup.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.