The long con: How North Korean spies spent months in-person to drain $285 million from Drift

Finance Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email The long con: How North Korean spies spent months in-person to drain $285 million from Drift The security intelligence research firm said North Korean-state-backed hackers account for 76% of all crypto scam and hack losses in 2026 and have stolen $6 billion since 2017. By Olivier Acuna | Edited by Jamie Crawley Apr 30, 2026, 12:58 p.m. 2 min read Make preferred on Hackers from North Korea are operating faster, more precisely and in person as they now account for 76% of all attacks in 2026, according to a new TRMLabs report. What to know : North Korean state-backed hackers, mainly the DPRK and Lazarus groups, are blamed for about 76% of global crypto hack losses in 2026, or nearly $600 million, bringing their total haul since 2017 to more than $6 billion. TRM Labs says these hackers are becoming more precise and faster, using tactics that now include months-long, in-person social engineering campaigns like the Drift Protocol exploit and sophisticated key compromises such as the Wasabi Protocol attack. The $292 million KelpDAO breach, attributed to Lazarus, not only exploited a known technical flaw but also triggered one of DeFi’s largest-ever wipeouts, erasing about $13 billion from lending platforms and leaving Aave with a major bad-debt crisis that industry players are now trying to backstop. North Korean government-backed hackers are becoming more sophisticated, more precise and now account for more than 76% or nearly $600 million in crypto losses this year alone. The $285 Drift Protocol exploit, for example, involved what TRMLabs describes as a long and “unprecedented in-person social engineering” attack. It included months of in-person meetings between North Korean proxies and Drift employees. “North Korean proxies sitting across a table from protocol employees over a period of months. That is, to my knowledge, unprecedented in North Korea's crypto hacking campaign,” Ari Redbord, Global Head of Policy and Government Affairs at TRMLabs, told CoinDesk. “This is no longer just a remote keyboard operation.” Ari’s comments accompany TRMLabs’ new report released Thursday , which highlights how North Korea’s two main hacking groups, DPRK and Lazarus, are responsible for 76% of all the crypto losses to hacks and exploits in 2026. “What we are watching is not a North Korean campaign that is broader — it is one that is sharper,” Redbord said in the report. "North Korea is moving faster and more precisely than ever.” “North Korea's cumulative crypto theft now exceeds $6 billion attributed incidents since 2017,” TRM Labs’ report adds. TRMLabs' findings coincide with a Wasabi Protocol exploit using a similar playbook to Drift’s April 19 hack, where the assailants used a compromised deployer key with no timelock or multisig to drain $4.5 million. The $292 million KelpDAO breach exploited a known single-verifier flaw that LayerZero had repeatedly warned against . The playbook was vastly different from the Drift exploit, according to TRMLabs. Hackers converted the Drift proceeds to USDC, bridged to Ethereum, swapped into ETH, and have not moved them since the day of the theft, which is consistent with the DPRK’s patient, multi-year cashout pattern. In contrast, Lazarus took their KelpDAO proceeds and immediately laundered them through THORChain and Umbra, which is handled almost entirely by Chinese intermediaries operating the well-documented TraderTraitor playbook, the report explains. The Kelp DAO exploit triggered DeFi’s largest wipeouts as $13 billion exited several lending platforms, most notably, Aave’s, which lost $8.54 billion in deposits over 48 hours, leaving it with a nearly $200 bad-debt crisis, which industry participants are now helping it to alleviate with $300 million in pledges . DeFi More For You MARA Holdings to buy Long Ridge Energy in $1.5 billion AI data center push By Francisco Rodrigues | Edited by Stephen Alpher 53 minutes ago The deal includes a 505 MW gas plant and 1,600 acres in Ohio, offering over 1 GW power capacity for future AI and IT buildout. What to know : MARA Holdings (MARA) is acquiring Long Ridge Energy & Power for $1.5 billion to power its AI data center expansion. The deal includes a 505 MW gas plant and 1,600 acres in Ohio, offering over 1 GW power capacity for future AI and IT buildout. The acquisition increases MARA's capacity... Read full story Latest Crypto News CoinDesk 20 performance update: Aptos (APT) gains 4.4% as nearly all assets rise 13 minutes ago MARA Holdings to buy Long Ridge Energy in $1.5 billion AI data center push 53 minutes ago Germany’s AllUnity expands EURAU to Solana as euro stablecoins gain traction 1 hour ago The Green Beret was just the start: New data suggests military insider trading crisis on Polymarket 1 hour ago Seasonal trends favor bulls even as bitcoin ends April in a defensive mood 2 hours ago Bitcoin faces $80,000 resistance as derivatives shows signs of risk aversion 2 hours ago Top Stories Wasabi Protocol drained of $4.5 million in apparent admin key compromise 3 hours ago Trump-backed World Liberty Financial races toward 62 billion token unlock with near-unanimous vote 5 hours ago Jack Mallers' Twenty One Capital surges after majority holder Tether proposes 3-way merger 15 hours ago Dogecoin zooms 10%, breaking away from bitcoin as open interest hits a yearly peak 5 hours ago XO Market bets on user-generated prediction markets to rival Polymarket and Kalshi 4 hours ago Hyperliquid’s HYPE token could be its prediction market weapon, Arthur Hayes says 8 hours ago