North Korean Hackers Steal $500 Million in a Single Month, Becoming the Top Threat to Cryptocurrency Security
TechFlow Selected TechFlow Selected
North Korean Hackers Steal $500 Million in a Single Month, Becoming the Top Threat to Cryptocurrency Security
Drift Protocol and KelpDAO were attacked, suffering losses of approximately $286 million and $290 million, respectively; the attackers targeted peripheral infrastructure of the protocols.
Navigating Web3 tides with focused insightsBy Oluwapelumi Adejumo
Translated by Chopper, Foresight News
In less than three weeks, a North Korea–linked hacking group stole over $500 million from cryptocurrency DeFi platforms. Their attack vectors have shifted from core smart contracts to vulnerabilities on the periphery of infrastructure.
Drift and KelpDAO Breached
Two major attacks—against Drift Protocol and KelpDAO—have pushed North Korean hackers’ illicit cryptocurrency earnings for this year past $700 million. The massive losses highlight a tactical shift: increasingly sophisticated exploitation of complex vulnerabilities and deep, long-term personnel infiltration to bypass standard security defenses.
On April 20, cross-chain infrastructure provider LayerZero confirmed that KelpDAO was breached on April 18, resulting in losses of approximately $290 million—the largest single crypto theft of 2026 to date. The company stated that preliminary forensic evidence directly points to TraderTraitor, a specialized unit within the notorious North Korean Lazarus Group.
Just weeks earlier, on April 1, Drift Protocol—a Solana-based decentralized perpetuals exchange—was compromised for roughly $286 million. Blockchain intelligence firm Elliptic quickly linked the on-chain money laundering patterns, transaction sequences, and network signatures to known North Korean attack methodologies, noting this was the 18th such incident they had tracked this year.
Shift in Tactics: Targeting Infrastructure Peripheries
The April attacks demonstrate growing sophistication in North Korean hackers’ targeting of DeFi. Rather than mounting direct assaults on core smart contracts, they now seek out—and exploit—structural vulnerabilities at the edges of infrastructure.
In the KelpDAO breach, for example, attackers compromised the downstream RPC (remote procedure call) infrastructure used by LayerZero Labs’ Decentralized Verification Network (DVN). By tampering with these critical data channels, the attackers manipulated protocol behavior without breaking core cryptography. While LayerZero has since disabled affected nodes and fully restored its DVN, financial losses are irreversible.
This indirect approach reveals a disturbing evolution in cyber warfare. Cybersecurity firm Cyvers told CryptoSlate that North Korea–linked attackers are becoming increasingly adept—and investing more resources into planning and executing attacks.
The firm added: “We’ve also observed that they consistently identify the weakest links. In this case, the entry point was a third-party component—not the protocol’s core infrastructure.”
This strategy closely mirrors traditional corporate cyber espionage and suggests that North Korea–linked attacks are becoming significantly harder to defend against. Recent incidents—including Google researchers attributing a supply-chain compromise of the widely used Axios npm package to the North Korean threat actor UNC1069—indicate attackers are systematically sabotaging software *before* it enters the blockchain ecosystem.
North Korea’s Infiltration of the Global Crypto Workforce
Beyond technical breakthroughs, North Korea is also conducting large-scale, organized infiltration of the global cryptocurrency labor market.
The threat model has shifted entirely from remote hacking operations to embedding malicious insiders directly into unsuspecting Web3 startups.
After a six-month investigation, the Ketman Project—an initiative under the Ethereum Foundation’s ETH Rangers security program—reached a startling conclusion: approximately 100 North Korean cyber operatives are embedded inside multiple blockchain companies. Using forged identities, they easily pass standard HR vetting processes and gain access to sensitive internal code repositories, remaining silently embedded within product teams for months—or even years—before launching precise attacks.
Independent blockchain investigator ZachXBT further corroborated this intelligence-agency–style infiltration. He recently exposed a North Korean special cyber network that uses fraudulent identities to secure remote jobs, generating approximately $1 million per month.
This operation transfers cryptocurrency to fiat currency through globally recognized financial channels, having processed over $3.5 million since late 2025.
Industry insiders estimate that North Korea’s overall deployed IT workforce generates several million dollars in monthly revenue. This provides Pyongyang with a dual income stream: stable salary payments *plus* massive protocol thefts enabled by insider assistance.
$6.75 Billion Total Theft
North Korea’s digital asset operations dwarf those of any traditional cybercrime syndicate. According to blockchain analytics firm Chainalysis, North Korea–linked hackers stole a record $2 billion in 2025 alone—accounting for 60% of all global cryptocurrency theft that year.
Given the intensity of attacks this year, North Korea’s cumulative cryptocurrency theft since inception has reached $6.75 billion.
Once funds are secured, the Lazarus Group employs highly specific, regionally focused money laundering patterns. Unlike typical crypto criminals who frequently use DEXs and peer-to-peer lending protocols, North Korean hackers deliberately avoid these channels. On-chain data shows they heavily rely on Chinese-region escrow trading services, deep over-the-counter brokerage networks, and sophisticated cross-chain mixing services. This preference reflects structural constraints and geographically limited monetization pathways—not unrestricted access to the global financial system.
Can It Be Prevented?
Security researchers and industry executives believe prevention is possible—but only if crypto enterprises address the same operational weaknesses repeatedly exposed in major breaches.
Terence Kwok, founder of Humanity, told CryptoSlate that North Korea–linked attacks continue to target common vulnerabilities—not novel intrusion techniques. He argues that while North Korean attackers are enhancing both their intrusion capabilities and proceeds-laundering methods, the root causes remain poor access controls and centralized operational risks.
He explained: “What’s shocking is that losses still stem from age-old issues like access control failures and single points of failure. This indicates the industry hasn’t yet resolved fundamental security discipline problems.”
Accordingly, Kwok identifies the industry’s first line of defense as dramatically increasing the difficulty of moving assets—by enforcing stricter controls over private keys, internal permissions, and third-party access rights. Practically, firms must reduce reliance on individual operators, limit privileged access, harden vendor dependencies, and add more verification layers between core protocols and the external world.
The second line of defense is speed. Once stolen funds cross chains, bridges, or enter laundering networks, recovery odds plummet sharply. Kwok emphasized that exchanges, stablecoin issuers, blockchain analytics firms, and law enforcement agencies must coordinate rapidly—in the first minutes or hours after an attack—to improve interception success rates.
His remarks underscore an industry reality: the most vulnerable points in crypto systems often lie precisely where code, people, and operations intersect. A single compromised credential, a weak vendor dependency, or an overlooked permission flaw can trigger losses of hundreds of millions of dollars.
The challenge for DeFi is no longer just writing robust smart contracts—it’s securing operational integrity at the protocol periphery before attackers exploit the next weak link.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@CryptoSlate
