In just under three weeks, cyber operatives linked to the Democratic People’s Republic of Korea (DPRK) have stolen more than $500 million from crypto DeFi platforms.
This marks a drastic escalation in Pyongyang’s state-sponsored campaign to bankroll its weapons programs through cryptocurrency theft.
Drift and KelpDAO drive North Korea’s over $500 million DeFi exploits
Notably, the twin devastating exploits targeting the Drift Protocol and KelpDAO have pushed North Korea’s illicit crypto haul for the year well past the $700 million mark.
The staggering losses underscore a shift in tactics by Kim Jong Un’s cyber army, which is increasingly weaponizing complex supply-chain vulnerabilities and executing deep-cover human infiltration to bypass standard security perimeters.
On April 20, cross-chain infrastructure provider LayerZero confirmed that KelpDAO suffered an exploit resulting in the loss of approximately $290 million. The breach, which occurred on April 18, now stands as the largest single crypto hack of 2026.
The firm stated that preliminary forensics point directly to TraderTraitor, a specialized cell operating within North Korea’s notorious Lazarus Group.
Just weeks earlier, on April 1, the Solana-based decentralized perpetual futures exchange Drift Protocol was drained of an estimated $286 million.
Blockchain intelligence firm Elliptic swiftly connected the on-chain laundering methodologies, transaction sequencing, and network-level signatures to previously established DPRK attack vectors, noting it was the 18th such incident the firm had tracked this year alone.
Exploiting the infrastructure periphery
The methodology behind the April attacks reveals a maturation in how state-sponsored hackers target decentralized finance (DeFi). Instead of attacking hardened core smart contracts head-on, operatives are identifying and exploiting the structural periphery.
In the case of the KelpDAO attack, LayerZero explained that the hackers compromised the downstream Remote Procedure Call (RPC) infrastructure utilized by the LayerZero Labs Decentralized Verifier Network (DVN).
By poisoning these critical data pathways, the attackers manipulated the protocol’s operations without compromising its core cryptography. LayerZero has since deprecated the affected nodes and fully restored DVN operations, but the financial damage had already been finalized.
This indirect approach highlights a terrifying evolution in cyber warfare.
Blockchain security firm Cyvers told CryptoSlate that North Korea-linked attackers are showing increased sophistication and investing more resources, both in preparation and execution, to carry out their malicious attacks.
The firm added:
“We also observe how they consistently find the weakest link. In this case, it was a third party rather than the protocol’s core infrastructure.”
The strategy heavily mirrors traditional corporate cyberespionage and shows that DPRK-linked breaches were becoming harder to stop.
Recent incidents, such as the supply-chain compromise of the widely used Axios npm software package, which Google researchers linked to a distinct DPRK threat actor dubbed UNC1069, demonstrate an ongoing, methodical effort to poison the well before the software even reaches the blockchain ecosystem.
North Korea infiltrates crypto workforce
Beyond technical exploits, North Korea is currently executing a massive, coordinated infiltration of the global crypto labor market.
The threat model has fundamentally shifted from remote hacking campaigns to placing malicious insiders directly onto the payrolls of unsuspecting Web3 startups.
A grueling six-month investigation by the Ketman Project, an initiative operating under the Ethereum Foundation’s ETH Rangers security program, recently concluded with startling findings: roughly 100 North Korean cyber operatives are currently embedded inside various blockchain companies.
Operating under fabricated identities, these sophisticated IT workers routinely pass standard human resources screenings, gain access to sensitive internal code repositories, and sit quietly within product teams for months, or even years, before initiating a calculated attack.
This intelligence-agency-style patience was further corroborated by independent blockchain investigator ZachXBT.
He recently exposed a specialized DPRK network that has been generating roughly $1 million a month by using fraudulent personas to secure remote work.
This specific scheme funnels crypto-to-fiat transfers through sanctioned global financial channels and has processed over $3.5 million since late 2025.
Industry estimates suggest that Pyongyang’s broader deployment of IT workers generates multiple seven-figure sums monthly.
This creates a dual-pronged revenue stream for the regime: the steady accumulation of fraudulent wages, paired with the catastrophic windfalls of insider-facilitated protocol exploits.
North Korea’s laundering Networks and macroeconomic survival
The sheer scale of North Korea’s digital asset operations dwarfs that of any traditional cybercriminal syndicate.
According to blockchain analytics firm Chainalysis, DPRK-linked hackers stole a record $2 billion in 2025 alone, accounting for a staggering 60% of all global cryptocurrency thefts that year. That figure was heavily bolstered by a devastating $1.5 billion raid on the Bybit exchange in February 2025.
Factoring in this year’s brutal campaign, North Korea’s all-time crypto-asset haul is estimated at $6.75 billion.
Once the funds are stolen, Lazarus Group operatives exhibit highly specific, regionalized laundering patterns. Unlike ordinary crypto criminals who frequently utilize decentralized exchanges (DEXs) and peer-to-peer lending protocols, DPRK actors actively avoid them.
Instead, on-chain data reveals a heavy reliance on Chinese-language guarantee services, deep over-the-counter (OTC) broker networks, and complex cross-chain mixing services.
This specific preference points to structural constraints and deeply established, geographically limited off-ramps rather than broad, unrestricted access to the global financial system.
Can these attacks be prevented?
Security researchers and industry executives say the answer is yes, but only if crypto firms address the same operational weaknesses that continue to surface in major breaches.
Terence Kwok, founder of Humanity, told CryptoSlate that the pattern behind many of these North Korea-linked losses still points to familiar weaknesses rather than entirely new forms of cyber intrusion.
In his view, North Korean actors are improving both their access methods and their ability to move stolen funds, but the damage often still traces back to poor access controls and concentrated operational risk.
He explained:
“What’s striking is how often the damage still comes down to the same weak points around access control and single points of failure. That tells you the industry still has some basic security discipline issues it has not solved.”
Considering this, Kwok stated that the industry’s first line of defense is to make asset movement materially harder to compromise. That means imposing tighter controls over private keys, internal permissions, and third-party access across the software stack.
In practice, that would require firms to reduce reliance on individual operators, limit privileged access, harden vendor dependencies, and build more checks around the infrastructure that sits between core protocols and the outside world.
The second priority is speed. Once stolen funds begin moving across chains, through bridges, or into laundering networks, the chances of recovery fall sharply. Kwok said exchanges, stablecoin issuers, blockchain analytics firms, and law enforcement agencies need to coordinate far faster during the first minutes and hours after a breach if they want to improve containment.
His comments point to a broader reality for the sector.
Crypto systems are often hardest to defend where code, people, and operations meet. A compromised credential, a weak vendor dependency, or an overlooked permissions failure can create an opening large enough to drain hundreds of millions of dollars.
The challenge for DeFi is no longer just writing resilient smart contracts. It is securing the operational perimeter around them before attackers exploit the next weak link.
