“That ratio — small number of attacks, outsized share of losses — has characterized North Korea's approach across most years since 2017,” TRM Labs wrote after calculating that North Korean-aligned hackers accounted for 76% of all cryptocurrency losses in the first four months of this year.
TRM Labs on North Korea — Drift Protocol and KelpDAO
TRM Labs attributes the outsized share of early-2026 crypto losses to just two incidents: the April 1 Drift Protocol hack that stole $285 million and the April 18 KelpDAO exploit that took $292 million. TRM wrote that Pyongyang’s campaign has trended upward, moving from under 10% of crypto hack losses in 2020 to roughly two thirds last year, and now 76% for the year-to-date period covered.
TRM’s analysis links different post-theft behaviors to different groups. The Drift Protocol proceeds, TRM said, fit a “well-documented North Korean pattern: hold proceeds for months or years, then execute a structured, multi-phase cashout.” In contrast, KelpDAO funds were routed to Chinese criminal intermediaries and into services like THORChain, which TRM flagged as a “reliable, high-capacity exit ramp.” THORChain developers, for their part, assert the protocol “is decentralized and lacks a central operator,” a claim TRM describes as “not necessarily accurate.”
KelpDAO Recovery — DeFi United's $300M Plan
DeFi United, a coalition of decentralized finance projects, outlined a coordinated remediation to restore backing for KelpDAO’s rsETH token after the $292 million exploit. Participants have pooled more than $300 million worth of ETH and plan staged conversions into rsETH, sending funds into a securing contract for the bridge and liquidating affected lending positions on platforms such as Aave to repay deficits.
The plan requires governance approvals and coordinated execution, and DeFi United acknowledged risks including potential attacker interference and untested security updates. If executed as designed, the group aims to fully restore token backing and stabilize impacted markets.
Enforcement, Sentences and Sanctions — Cartier, Cambodia, Tangeman, Inos, Mashinsky, and an Army Soldier
U.S. and international authorities continued using criminal charges, asset restraints and sanctions in parallel with private-sector responses. Maximilien de Hoop Cartier received an eight-year prison term after prosecutors said his unlicensed crypto exchange laundered more than $470 million, moving funds through U.S. bank accounts to Colombia; he pleaded guilty to operating an illegal money-transmitting business and conspiracy to commit bank fraud.
The U.S. Department of the Treasury sanctioned Cambodian senator Kok An and dozens of associates for running scam compounds that reportedly use forced labor to coerce victims into sending cryptocurrency. The U.S. Department of Justice separately restrained over $700 million tied to money laundering and shut down hundreds of fake investment websites.
In the U.S., Evan Tangeman was sentenced to 70 months in prison for helping launder proceeds from a scheme that stole about $263 million; prosecutors said he converted at least $3.5 million into cash and used fake identities to facilitate the operation. A federal judge sentenced Sze Man Yu Inos to 71 months for a bitcoin romance-investment fraud that targeted older women, and ordered repayment of $769,355. The U.S. Federal Trade Commission and federal prosecutors reached a settlement with former Celsius CEO Alex Mashinsky requiring $10 million in payments and a permanent ban from crypto trading, with a suspended $4.7 billion judgment that may be reinstated under certain conditions.
Separately, federal agents arrested Army soldier Gannon Ken Van Dyke for allegedly using classified military information to place prediction-market bets tied to an operation to capture Venezuelan leader Nicolas Maduro; prosecutors say he placed 13 bets totaling about $33,000 that would have been worth roughly $410,000 if the event had occurred, and he has pleaded not guilty.
Litecoin Vulnerability — MimbleWimble Extension Block Exploit
The Litecoin Foundation reported a coordinated attack exploiting a zero-day in Litecoin’s MimbleWimble Extension Block privacy feature that produced a chain reorganization more than three hours long. The flaw, the foundation said, allowed invalid transactions to appear legitimate on outdated mining software. Attackers moved funds out of the privacy layer and executed double-spend attacks, particularly affecting cross-chain trading platforms; some mining pools also faced denial-of-service attacks. The foundation stated it has fixed the vulnerability and removed fraudulent transactions, though some trading platforms reported losses.
What this means for technologists, policymakers, and end users
- Technologists and security teams should watch cross-chain liquidity protocols and privacy-layer code paths: TRM highlighted THORChain and the MimbleWimble privacy feature as active paths for high-capacity exits and exploits, respectively.
- Policymakers and regulators will see enforcement as an active tool: sanctions by the U.S. Department of the Treasury, asset restraints by the Department of Justice, and criminal prosecutions — from money launderers to scheme operators — demonstrate a mix of tools being used against on- and off-chain criminality.
- End users and service operators face continued operational risk: large coordinated recoveries such as DeFi United’s $300M plan carry governance and execution risk, while state actions and bans — like Tennessee’s forthcoming prohibition on crypto ATMs, signed April 13 and effective July 1 — change the on-ramps and legal exposure for customers and hosts.
The record from these incidents is stark: concentrated, high-value thefts can reshape the loss landscape in weeks; the laundering pathways vary from long-term staged cashouts to rapid movement through intermediaries and cross-chain bridges; and responses range from private pooled recoveries to criminal prosecutions and sanctions. Whether cooperative remediation, heightened enforcement, or protocol fixes will blunt the current spike in losses is the immediate test for authorities, developers and market participants alike.
https://www.govinfosecurity.com/cryptohack-roundup-north-korea-steals-bulk-crypto-so-far-a-31554