North Korean hackers have become the biggest nightmare in the crypto world. Recently, after reading the TRM Labs report, the data gave me chills—only four months into the year, North Korean hacking groups have already plundered about $577 million, accounting for 76% of the stolen funds worldwide during the same period. This ratio is truly astonishing.

The losses mainly stem from two major incidents in April. Kelp DAO was drained of $292 million, while Drift Protocol was hacked for $285 million. Interestingly, these two cases only account for 3% of the total attacks in the first four months of this year, yet they caused the vast majority of the losses. This indicates that North Korean hackers have upgraded from "shotgun" tactics to precise sniping.

The Kelp DAO incident was carried out by the notorious TraderTraitor, closely linked to the Lazarus Group. The Drift attack was attributed to another North Korean hacking team that has not yet been fully exposed.

Regarding the Drift attack, I think the most terrifying part is that it was not a sudden strike at all. TRM revealed that it was a months-long, meticulously planned infiltration operation. North Korean agents engaged with the Drift team through multiple offline meetings, starting deployment on March 11, establishing persistent nonce accounts on Solana for pre-signed transactions, and tricking multiple signature members of the Drift Security Committee into pre-approving transactions. The fatal blow occurred on April 1, just days after Drift adjusted the security committee’s permission threshold and removed the timelock. The hackers triggered 31 pre-signed withdrawal commands within 12 minutes, directly draining the funds. This combination of social engineering and technical manipulation is almost impossible to defend against.

The Kelp DAO incident follows a different pattern. The hackers exploited a flaw in the "single validator" architecture of the LayerZero cross-chain communication protocol, infiltrating the RPC infrastructure to tamper with verification logic. After forcing the system to transfer verification authority to controlled nodes, over 116k rsETH were looted. Even though Arbitrum’s team quickly froze some assets, the hackers swiftly moved the funds out through cross-chain liquidity protocols like THORChain.

What’s even more concerning is the trend. The proportion of total cryptocurrency thefts attributable to North Korean hackers has been skyrocketing—from less than 10% in 2020 and 2021, climbing to 22% in 2022, 37% in 2023, 39% in 2024, and reaching a record high of 76% in 2025. Since 2017, North Korean hackers have stolen over $6 billion in crypto.

TRM pointed out that the massive $1.46 billion hack of a major exchange in 2025 marked a turning point in North Korean hacking tactics. Afterward, they shifted strategies, no longer randomly attacking targets but focusing on high-value targets, specifically targeting cross-chain bridges, multi-signature governance systems, and other critical infrastructure to achieve a one-hit kill.

Interestingly, the Drift and Kelp DAO cases also reflect the diversification of North Korean money laundering methods. The hackers behind Drift are very patient; after transferring funds to Ethereum, they have remained inactive, possibly planning to "hide" the funds for months or even years, waiting for the hype to die down before cashing out. In contrast, the Kelp DAO hackers prefer quick strikes, rapidly converting funds through THORChain into Bitcoin, then handing them over to underground money laundering intermediaries.

In the face of these increasingly rampant threats, TRM calls on major platforms to immediately enhance compliance monitoring. Key defense points include tightly monitoring cross-chain funds flowing through THORChain, strengthening multi-hop transaction tracking for cross-chain bridge infrastructure, and strictly scrutinizing deposit paths related to Solana governance, especially transactions involving persistent nonce mechanisms. Furthermore, the industry should actively join cross-platform defense mechanisms like Beacon Network, which can quickly trigger joint alerts once North Korean hacker wallet addresses are identified, effectively cutting off money laundering flows. This cyber offense and defense battle is far from over; the nightmare in the crypto world continues.