North Korea-Linked Hackers Stole 66% of Crypto in H1 2026 as Hacks Hit Record High

Daily Feed
North Korea-Linked Hackers Stole 66% of Crypto in H1 2026 as Hacks Hit Record High

North Korea-linked hackers stole two-thirds of crypto in 2026, even as the total dollar haul fell sharply from the year before.

  • 207 hacks in six months, a record for TRM Labs
  • $972 million stolen in H1 2026, down from $2.3 billion in H1 2025
  • 66.2% of stolen value tied to North Korea-linked entities
  • Infrastructure and operational compromises drove most of the losses

Crypto Hacks in H1 2026: Record Incidents but Lower Losses was the message from TRM Labs on July 1, and the point is hard to miss: crypto security did not suddenly get “solved” because the total loss number went down. The loss curve fell, but the threat did not.

According to TRM, attackers carried out 207 separate hacks in the first six months of 2026, the highest number it has recorded in any six-month period. Yet total losses dropped to $972 million, down from $2.3 billion in the first half of 2025.

That sounds like progress until you look at what actually changed. The decline came less from broad security gains and more from the lack of another monster-sized theft blowing up the numbers.

North Korea-linked entities remained the single largest source of stolen value. TRM says they were responsible for 66.2% of the $972 million stolen in H1 2026, or roughly $643 million.

That figure matters, but it also needs the right context. TRM says it counted only hacks and exploits. It did not include other ways North Korea-linked operators reportedly generate crypto, such as phishing, social engineering, fraud, scams, or covert IT worker operations. So the $643 million number is not the regime’s full crypto income. It is just the portion TRM could attribute to hacks and exploits.

In other words: the theft machine is not some side hustle. It is a revenue stream.

TRM says the biggest losses in the first half of 2026 came from infrastructure and operational compromises, which accounted for about 15% of incidents but roughly 76% of total losses. That is the ugly part of the story. Most incidents were smaller smart contract exploits, but the biggest damage came from attacks that got past code and into the machinery around it, access controls, keys, custody workflows, and backend systems.

TRM also reported more than 100 smaller smart contract exploits. So yes, the code still gets picked apart. But the real money tends to disappear when attackers reach the people and processes behind the protocol, not just the contract itself.

“The first half of 2026 demonstrates that crypto security has entered a new phase, ” TRM Labs said.
“Large infrastructure compromises continue to drive the industry’s biggest financial losses, while a growing number of smaller smart contract exploits are pushing incident counts to record levels.”

That split explains why more hacks did not automatically mean more dollars lost. TRM put it bluntly: “a single successful operation against a major target can still outweigh months of losses from every other attacker combined.”

The two largest incidents TRM highlighted were a $285 million breach of Drift in April and a $292 million hack of KelpDAO. Together, those operations accounted for most of the North Korea-linked loss total. That is the kind of concentration risk that makes crypto security look less like a neat technical problem and more like a loaded gun sitting on the table.

TRM’s broader framing matters too. North Korea is heavily sanctioned and isolated from the traditional financial system, which makes digital assets attractive as a source of foreign currency. Crypto is global, portable, and often easier to exploit through operational weakness than through brute force. That makes it useful to a state that needs money and does not care much about clean hands.

The scale of the problem is not new. TRM said North Korea-linked entities stole roughly $1.7 billion in the first half of 2025. Chainalysis previously reported that North Korea's Dominance in Crypto Hacks and Laundering showed up clearly again, with North Korean hackers stealing $1.34 billion across 47 incidents in 2024, representing 61% of that year’s total. Recorded Future said in 2023 that North Korea had generated over $3 billion through hacking over the previous six years.

Those numbers come from different firms and timeframes, so they are not perfect apples-to-apples comparisons. But they point in the same direction. This is a long-running state-backed income model, not a one-off crime spree.

Cyber attribution is never as clean as a courtroom verdict, and “North Korea-linked” is a careful phrase for a reason. It reflects evidence from blockchain tracing, behavior patterns, and other intelligence rather than magical certainty etched into the chain. Still, the pattern is strong enough that pretending it is noise would be silly.

The threat picture is also getting more annoying in a very modern way. North Korea-linked operators have been tied to increasingly sophisticated deception and infiltration schemes, including covert IT worker operations. The basic idea is simple and grim: get paid like a legitimate remote worker, gain trust, and use that access to help fund or enable the larger operation. Nothing says “innovation” quite like weaponized payroll fraud.

For crypto teams, the security lesson is pretty clear. Audits matter. Smart contract review matters. But the major losses in TRM’s report came from the layers around the code, signer security, key management, approval flows, infrastructure hardening, and incident response. If a project is only testing the contract and ignoring the rest, it is securing one door while leaving the windows open and the back gate hanging off its hinges.

DeFi remains a juicy target because it concentrates value, relies on complex integrations, and often puts serious money behind fragile operational setups. That does not mean decentralized finance is broken by default. It does mean the sector has to stop pretending that elegant code alone is enough. The enemy does not care how beautiful the protocol diagram looks.

There is also a blunt strategic point here: sanctions and blockchain tracing have not stopped North Korea’s crypto theft economy. They may force it to adapt, but adaptation is part of the business model. If the rewards stay high enough, the attackers will keep iterating. That is the uncomfortable reality behind the headline numbers.

The good news is that the biggest losses are increasingly understandable. The bad news is that understanding them does not make them go away. Until operational security becomes as serious as on-chain security, the same playbook will keep working on the weakest teams.

Key questions and takeaways

  • Why did losses fall even though hacks hit a record?
    Because a record number of smaller incidents did not add up to another mega-theft. A few large infrastructure and operational compromises drove most of the damage, but the year-over-year total still came in much lower than H1 2025.

  • How much did North Korea-linked actors steal?
    TRM Labs says they were responsible for 66.2% of the $972 million stolen in H1 2026, or about $643 million. That figure covers only hacks and exploits, not other illicit crypto income.

  • What kind of attacks caused the biggest losses?
    Infrastructure and operational compromises did. TRM says those made up about 15% of incidents but roughly 76% of total losses, which shows how expensive access-control and custody failures can be.

  • Are smart contract exploits still a major problem?
    Yes. TRM reported more than 100 smaller smart contract exploits in the first half of 2026. They were less damaging than the biggest infrastructure hits, but they still kept incident counts at record levels.

  • Is North Korea’s crypto theft just about hacks?
    No. TRM says North Korea also generates crypto through phishing, social engineering, fraud, scams, and covert IT worker operations. Hacks are only one part of the funding model.

One hard truth remains: as long as crypto holds real value and teams leave weak points in keys, access, and operations, organized attackers will keep coming back. North Korea has turned that weakness into a state-level business, and it is still paying.

Further reading

For more on North Korea’s crypto theft playbook and the security failures that keep feeding it:

Share this article

Powered by ADBYTES

Advertise smarter.

Adbytes.Media is a transparent advertising network where advertisers reach real audiences and publishers, affiliates & everyday members earn ADBYTES tokens. Join the community and start earning today.

Back to Blog