Skip to main content
Sign in

North Korea Lazarus Group — H1 2026 Systematic Crypto Theft Campaign

avoid.net/north-korea-lazarus-group-h1-2026-systematic-crypto-theft-campaign0/100·92% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·88Jofa…2pEQ

Summary

North Korea-linked threat actors, operating under cluster names including Lazarus Group and TraderTraitor (UNC4736), are alleged to have stolen approximately $643 million in cryptocurrency during the first half of 2026 — representing roughly 66% of the $972 million stolen across 207 documented incidents globally in that period, according to blockchain intelligence firm TRM Labs. Two anchor attacks, the $285 million Drift Protocol exploit on April 1 and the $292 million KelpDAO bridge exploit on April 18, together accounted for approximately 59% of all H1 2026 crypto hack losses. Cumulative DPRK-attributed crypto theft since 2017 has now exceeded $6 billion across an estimated 270+ incidents, according to multiple blockchain intelligence firms.

Have evidence about North Korea Lazarus Group — H1 2026 Systematic Crypto Theft Campaign?

Timeline(18 events)

2017-01-01

DPRK-linked crypto theft operations began, per TRM Labs attribution baseline. Cumulative total will exceed $6 billion by H1 2026.

TRM Labs H1 2026 Report

2022-03-23

Lazarus Group executes $622 million Axie Infinity/Ronin bridge hack, the largest crypto theft to that date. FBI formally attributed it to Lazarus Group in April 2022.

OFAC / FBI attribution

2022-05-06

OFAC sanctions Blender.io, the first-ever designation of a virtual currency mixer, for providing services to Lazarus Group.

U.S. Department of the Treasury

2023-12-01

OFAC sanctions Sinbad.io virtual currency mixer for processing millions in Lazarus Group proceeds from the Horizon Bridge and Axie Infinity heists.

OFAC / Chainalysis

2025-02-21

Lazarus Group executes the $1.5 billion Bybit hack, at the time the single largest crypto theft on record, via compromise of a Safe{Wallet} developer's workstation and malicious JavaScript injection.

FBI / Chainalysis / CSIS

2025-12-18

Chainalysis publishes full-year 2025 report: North Korea stole $2.02 billion in 2025, a 51% year-over-year increase, pushing all-time DPRK crypto theft to approximately $6.75 billion.

Chainalysis / CoinDesk

2025-09-01

Alleged start of Drift Protocol social engineering campaign. DPRK operatives allegedly began cultivating relationships with Drift contributors, posing as a quantitative trading firm.

TRM Labs / The Hacker News

2026-03-11

On-chain staging for Drift Protocol attack begins: 10 ETH withdrawn from Tornado Cash, deployed around 09:00 Pyongyang Standard Time to fund CarbonVote Token deployment.

TRM Labs

2026-03-12

OFAC sanctions six DPRK IT worker facilitators and two entities (including Amnokgang Technology Development Company) for schemes generating nearly $800 million in 2024.

U.S. Department of the Treasury

2026-03-23

Attackers create multiple durable nonce accounts on Solana — a feature enabling pre-signed transactions to execute later without expiration — in preparation for the Drift exploit.

TRM Labs

2026-03-27

Drift Protocol migrates its Security Council to a new 2-of-5 threshold configuration with zero timelock, eliminating the delay that would have permitted detection and intervention.

TRM Labs

2026-04-01

Drift Protocol is drained of approximately $285 million in roughly 12 minutes. Stolen USDC is moved across 100+ transactions via Circle's CCTP over six hours. DRIFT token falls over 40%.

TRM Labs / Elliptic / The Hacker News

2026-04-18

KelpDAO's LayerZero bridge is drained of approximately $292 million in rsETH. Attackers compromise two RPC nodes and DDoS remaining nodes, forcing failover to poisoned infrastructure. Cascading effects trigger an estimated $10 billion Aave withdrawal wave.

LayerZero / Chainalysis / CoinDesk

2026-04-20

LayerZero publishes incident report attributing the KelpDAO exploit to DPRK's Lazarus Group / TraderTraitor, citing KelpDAO's single-DVN configuration as a critical enabling factor.

LayerZero / CoinDesk

2026-04-21

Arbitrum Network Security Council freezes 30,766 ETH (approximately $71 million) of KelpDAO attacker funds, recovering roughly 25% of stolen assets.

Crypto Briefing / Spoted Crypto

2026-04-30

CoinDesk publishes TRM Labs-sourced reporting that DPRK actors account for 76% of 2026 crypto exploit losses through April, with cumulative theft since 2017 topping $6 billion.

CoinDesk / TRM Labs

2026-05-05

KelpDAO publicly disputes LayerZero's attribution of blame to KelpDAO's configuration, stating that LayerZero had approved the single-DVN setup.

CoinDesk

2026-06-30

TRM Labs publishes H1 2026 crypto hacks report: 207 incidents totaling $972 million, with $643 million (66%) attributed to DPRK actors. Q2 2026 recorded 123 incidents, a record-setting quarter.

TRM Labs
Provenance & Audit Trail

Decision Log

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

model: claude-sonnet-4-6

generated: 7/2/2026, 11:31:47 PM

last updated: 7/2/2026, 11:31:58 PM

avoid.net — verified advice for a post-truth world