The blockchain intelligence firm TRM Labs recently reported that North Korean hackers are responsible for 76% of all crypto hack losses this year. Two of the biggest attacks came in April, a month where losses have shot past the combined total for the first three months of the year.
Simultaneously, the U.S. Department of the Treasury has officially designated a sitting Cambodian senator and his network of scam compounds.
Those links to state-level actors have led to parallels being drawn between both Asian nations, which have gained notoriety in recent days.
How are North Korean hackers stealing crypto differently in 2026?
TRM Labs released data showing that North Korean hackers are launching less frequent attacks but much smarter ones.
North Korea has stolen over $6 billion in crypto since 2017, but in April 2026, two major hacks that dwarfed all other crypto theft globally occurred. The first was the Drift Protocol breach on April 1, which resulted in a $285 million loss.
TRM analysts revealed that to achieve this hack, North Korean proxies held in-person meetings with Drift employees over several months.
The attackers used Solana’s “durable nonce” feature, which allows a transaction to be signed and held for execution at a much later date. Between March 23 and March 30, 2026, the hackers tricked two of Drift’s five Security Council signers into pre-approving 31 withdrawals.
Prior to the hack, Drift had migrated its Security Council to a configuration with zero timelock, meaning approved actions took effect immediately. The hack was executed in just 12 minutes, and now the stolen funds are sitting dormant on Ethereum.
The second was the KelpDAO exploit that occurred on April 18 and resulted in a $292 million loss. The hack was attributed to the Lazarus Group’s “TraderTraitor” unit. Hackers compromised internal RPC nodes and launched a DDoS attack to manipulate a single−verifier bridge.
The theft left Aave with a massive “bad debt” hole initially estimated at $195 million. As a result, borrowing rates for Tether (USDT) on Aave skyrocketed to 14%, the highest since December 2024.
Over $13 billion in deposits exited major lending platforms within 48 hours following the hack. Aave itself lost $8.54 billion in deposits.
The laundering phase of these hacks is reportedly handled by Chinese intermediaries, not the North Koreans themselves.
Cambodia’s cybercrime problem
The Office of Foreign Assets Control (OFAC) sanctioned Cambodian Senator Kok An and 28 individuals/entities under Executive Order 13694.
The U.S. Treasury alleges that Kok An, through his companies Crown Resorts and Anco Brothers, owns casinos and properties in Sihanoukville and Poipet that have been converted into “scam compounds.”
These compounds force human trafficking victims to run “pig butchering” scams, defrauding Americans out of millions in digital assets.
The OFAC also sanctioned Brilliancy Sihanoukville Investment (Bolai), which runs the scams, launders money through gambling websites, and sends funds directly to U.S.-based cells. The Secret Service traced $1.3 million from American victims directly to bank accounts owned by Bolai’s founder, Luo Hong.
A previous similar case involved Chen Zhi, Chairman of the Prince Group. Cryptopolitan reported that Cambodia extradited Chen Zhi to China after U.S. authorities indicted him for running forced-labor scam compounds.
The decision to extradite him out of the country seemed expedient as the operation mastermind was alleged to have links to the Cambodian state, growing his influence after he became a Cambodian citizen in 2014.
The U.S. had previously seized $15 billion in Bitcoin from him and his bank, Prince Bank, was placed under liquidation by the National Bank of Cambodia.
