
North Korean hackers stole $577M in crypto in April 2026, 76% of all hack value. Ribbit Capital's Jessi Brooks argues the industry must stop hiding behind vague 'illicit finance' language.
Jessi Brooks has a message for an industry that prefers euphemisms. The General Counsel at Ribbit Capital and former federal prosecutor appeared on TRM Talks on July 1 to name the threat directly: North Korea is funding its nuclear weapons program with stolen crypto, and the industry's habit of calling it "illicit finance" is helping no one.
TRM Labs' mid-year data gives her argument teeth. North Korean-linked hackers stole roughly $577 million in crypto during April 2026 alone. That single month accounted for 76% of all hack value recorded through April. For the first half of the year, 66% of all crypto losses trace back to the DPRK.
Two attacks drove the April total. The first hit Drift Protocol on April 1, netting $285 million. The attackers spent months on social engineering, including in-person meetings, before executing the exploit. The second targeted KelpDAO on April 18, taking $292 million through a flaw in a LayerZero bridge. TRM Labs attributed both to distinct subgroups of the Lazarus Group, North Korea's state-backed hacking operation.
North Korea's cumulative crypto theft since 2017 now exceeds $6 billion. That makes the DPRK the single largest source of stolen value in the entire crypto space, by a wide margin.
Brooks argued the scale demands a different posture from security teams and protocol designers. A $300 million theft from a single protocol is not a counterparty risk that insurance can manage. It is a state-level threat. That means tighter KYC and AML on exchange flows, deeper vetting of bridge contracts, and treating social engineering as a systemic risk rather than a one-off user error.
The industry's reflex is to treat each hack as an isolated security failure. Brooks's point is that the pattern itself is the threat. The DPRK does not steal crypto for profit. It steals to fund a weapons program that the United Nations has sanctioned for decades. Every dollar that flows to Pyongyang through a bridge exploit or a social engineering campaign extends the regime's reach.
"They are building a nuclear weapons system with the money that they hack from crypto," Brooks said on the podcast.
Traders and investors should watch for regulatory responses. If the U.S. Treasury or OFAC intensifies scrutiny of protocols that handled stolen funds, the compliance burden could shift. Exchanges that process withdrawals from affected addresses may face sanctions risk. The next 12 months will test whether the industry can build defenses that match the sophistication of a state actor, not just generic script kiddies.
Brooks's closing line was blunt: "The crypto industry has a North Korea problem. It's time to stop calling it something else."
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.