North Korea Rejects US Crypto Hacking Allegations Amid Record 2026 Thefts Linked to Lazarus Group
North Korea’s Foreign Ministry has vehemently denied U.S. accusations of involvement in major cryptocurrency hacks, labeling them as “absurd slander” aimed at justifying hostile policies against Pyongyang.[1][4] The denial comes amid mounting evidence from cybersecurity firms attributing a staggering 76% of all crypto hack losses in 2026 year-to-date to North Korean state-sponsored actors, totaling approximately $577 million from just two high-profile attacks.[2][3]
Pyongyang’s Strong Rebuke
A spokesperson for North Korea’s Foreign Ministry stated that the claims are “nothing but an absurd slander to tarnish the image of our country by spreading false information in pursuit of political purposes.”[1] This response follows reports from U.S. authorities and international bodies linking North Korean hackers to a series of sophisticated cyber operations targeting the cryptocurrency sector. The United Nations has previously estimated that North Korea-linked cyberattacks have stolen over $3 billion in crypto assets since 2017, underscoring long-standing concerns about state-backed cyber threats.[1]
North Korea’s rejection aligns with its pattern of dismissing foreign intelligence assessments as fabrications designed to maintain sanctions and isolation. Cybersecurity researchers have reinforced these concerns by connecting North Korean-affiliated groups, particularly the notorious Lazarus Group, to software supply chain attacks and other cyber intrusions.[1][4]
Record-Breaking 2026 Hacks
According to blockchain intelligence firm TRM Labs, North Korean hackers from two distinct groups executed attacks that accounted for the lion’s share of crypto thefts this year. Through April 2026, these operations netted $577 million, representing 76% of all recorded crypto hack losses.[2][5] This marks a sharp escalation from previous years, where North Korea’s share of global crypto theft rose steadily: under 10% in 2020, climbing to 22%, 37%, 39%, 64%, and now 76% in 2026.[3]
Key incidents include the April 18 hack of decentralized finance protocol Drift, where attackers drained funds using 31 pre-signed transactions executed in just 12 minutes. TRM Labs attributes this to North Korean actors, noting in-person meetings between North Korean proxies and Drift employees over six months to build trust and access.[2][3] Another major breach involved KelpDAO, with proceeds laundered through established channels favored by North Korean operatives.[2]
Sophisticated Laundering Tactics
The stolen funds follow a familiar playbook. In the Drift attack, approximately $175 million in Ethereum was swapped to Bitcoin primarily through THORChain, a cross-chain liquidity protocol without KYC requirements. Tools like Umbra, an Ethereum privacy mixer, were used to obscure wallet linkages.[2] TRM Labs traced initial funding for the exploit back to a 2018 Bitcoin wallet linked to Wu Huihui, a Chinese crypto broker indicted in 2023 for laundering Lazarus Group thefts.[2]
Laundering for the KelpDAO hack mirrors the “TraderTraitor” strategy, with Chinese intermediaries handling much of the process rather than North Korean actors directly. THORChain again played a central role, processing vast sums from prior heists like the Bybit breach in 2025 without freezing transfers.[2] These tactics highlight an industrial-scale operation, described by experts as nation-state driven rather than opportunistic crime.[3]
Broader Implications and U.S. Response
The Lazarus Group, widely believed to operate under North Korean military intelligence, has been cited in connection with the Drift hack and others.[4] U.S. sanctions continue to target entities facilitating these activities, with recent measures slapping penalties on involved parties.[5] The crypto industry’s vulnerabilities are laid bare, as decentralized protocols become prime targets for well-resourced adversaries.
Experts warn that North Korea’s accelerating crypto theft funds its nuclear and missile programs, evading international sanctions through virtual assets. As attacks grow more audacious—involving social engineering and prolonged reconnaissance—the global financial system faces heightened risks.[3]
“This isn’t random hacking. This is a nation-state running an industrial-scale crypto theft operation—and it’s accelerating.”
— Crypto security analyst, via YouTube analysis[3]
Industry and Regulatory Fallout
The crypto sector grapples with these revelations. Protocols like THORChain, while innovative, have drawn criticism for enabling illicit flows due to lax compliance. Calls for enhanced on-chain monitoring and international cooperation intensify, even as North Korea maintains its innocence.
TRM Labs’ attribution relies on on-chain forensics, pre-attack funding traces, and laundering patterns, providing high-confidence links to Pyongyang despite official denials.[2] As 2026 progresses, the clash between North Korea’s rebuttals and forensic evidence underscores the ongoing cyber arms race in digital finance.
This story is developing, with investigators continuing to track laundered funds and potential future targets.