North Korea-linked hacking groups accounted for 76 percent of the losses from cryptocurrency hacks reported through April this year, according to compiled data. A TRM Labs report cited by blockchain outlet BeInCrypto on Thursday said two attacks targeting Drift Protocol and KelpDAO pushed up total losses.

Losses from the two incidents total about $577 million. In an April 1 attack on Drift, Solana-based perpetual futures exchange Drift lost $285 million. Then on April 18, 116,500 rsETH was drained from KelpDAO’s cross-chain bridge, causing losses of about $292 million. The two cases accounted for 3 percent of hack incidents this year but made up most of the losses.

Drift said in a follow-up incident report that the attack resulted from a six-month intelligence-gathering operation linked to a North Korea-affiliated actor. The fallout spread to other protocols. Solana yield platform Carrot announced on April 30 that it would shut down operations. Carrot said it could no longer continue operating due to the impact of the Drift attack and instructed users to withdraw balances in Boost, Turbo and CRT positions by May 14. Forced deleveraging will begin after that.

The KelpDAO incident was recorded as the largest DeFi hack so far this year. An investigation identified Lazarus Group’s TraderTraitor as the likely mastermind. After the attack, total value locked across Aave and DeFi as a whole fell sharply.

North Korea’s share of cryptocurrency theft has continued to rise in recent years. North Korea-linked groups stole at least $2.02 billion in digital assets in 2025 alone. Their share of total hack losses rose to 22 percent in 2022 from less than 10 percent in 2020 and 2021, then climbed to 37 percent, 39 percent and 64 percent. The 76 percent figure through April this year is the highest level in related tallies.

TRM Labs assessed that the frequency of attacks itself has not increased. North Korea’s core hacking teams still precisely target a small number of victims each year. Instead, the attacks have become more sophisticated, it said. TRM Labs raised the possibility that North Korean groups are introducing artificial intelligence tools into reconnaissance and social engineering. The Drift case was closer to an attack that precisely manipulated complex blockchain structures over several weeks than a simple theft of private keys.