TRM Labs attributes about USD 577 million in 2026 crypto theft through April to North Korean hacking groups, with Drift Protocol and KelpDAO accounting for 76% of all crypto hack losses in that period. The Drift attack involved weeks of on-chain staging, months of social engineering against protocol signers, durable nonce abuse on Solana, manufactured collateral, and a rapid 12-minute drain before the stolen assets were bridged to Ethereum and left dormant. The KelpDAO attack exploited a single-verifier LayerZero bridge design after compromised RPC nodes and DDoS pressure caused false burn data to be accepted, enabling the theft of about 116,500 rsETH. TRM links KelpDAO to North Korea through on-chain funding and laundering evidence, including ties to prior TraderTraitor activity and movement through THORChain toward Bitcoin after Arbitrum froze part of the funds. The analysis highlights DPRK operators' preference for fewer high-value, precisely staged crypto operations and the need to monitor multisig governance, bridge-verifier design, THORChain flows, and DPRK-linked wallet movement.