In a span of just under three weeks, cyber operatives linked to the Democratic People’s Republic of Korea (DPRK) have successfully stolen over $500 million from decentralized finance (DeFi) platforms. This marks a significant escalation in Pyongyang’s state-sponsored efforts to fund its weapons programs through cryptocurrency theft.
Significant breaches at Drift Protocol and KelpDAO have contributed to North Korea’s crypto thefts surpassing the $700 million mark for this year alone. These attacks reflect a strategic shift by Kim Jong Un’s cyber units, who are now exploiting sophisticated supply-chain vulnerabilities and engaging in deep-cover human infiltration to bypass conventional security measures.
On April 20, cross-chain provider LayerZero confirmed that KelpDAO fell victim to an exploit resulting in losses of approximately $290 million. This breach occurred on April 18 and has been identified as the largest single crypto hack of 2026. Preliminary forensic analysis implicates TraderTraitor, a specialized group within North Korea’s notorious Lazarus Group.
Earlier, on April 1, the Solana-based decentralized perpetual futures exchange Drift Protocol was compromised, leading to an estimated $286 million in losses. Blockchain intelligence firm Elliptic traced the laundering techniques and network signatures back to DPRK-established attack vectors, marking it as the 18th such incident they have tracked this year.
The April attacks demonstrate a maturation in how state-sponsored hackers target DeFi. Instead of direct assaults on hardened smart contracts, these operatives are exploiting peripheral infrastructures. In the KelpDAO case, LayerZero explained that attackers compromised downstream RPC infrastructure used by their Decentralized Verifier Network (DVN). By poisoning these data pathways, they manipulated protocol operations without breaching core cryptography.
Cyvers, a blockchain security firm, noted the growing sophistication of North Korea-linked hackers and their ability to target weaker links in third-party infrastructures rather than core systems. This tactic aligns with traditional corporate cyberespionage methods and highlights the increasing difficulty in stopping DPRK breaches.
In addition to technical exploits, North Korea is also embedding malicious insiders within global crypto companies. A six-month investigation by the Ketman Project found that around 100 North Korean operatives have infiltrated various blockchain firms under fake identities, gaining access to sensitive information before launching attacks. ZachXBT, an independent investigator, exposed a DPRK network generating approximately $1 million monthly via fraudulent remote work personas.
According to Chainalysis, DPRK-linked hackers stole a record $2 billion in 2025, representing 60% of global cryptocurrency thefts that year. This figure includes a $1.5 billion raid on the Bybit exchange. Including this year’s losses, North Korea’s total crypto-asset haul is estimated at $6.75 billion.
Lazarus Group operatives demonstrate specific laundering patterns, avoiding decentralized exchanges in favor of Chinese-language guarantee services and complex cross-chain mixing networks. This suggests geographically limited financial exit strategies.
Terence Kwok, founder of Humanity, emphasized that preventing these attacks requires addressing operational weaknesses such as poor access controls and concentrated risks. He stressed the need for tighter controls over private keys and permissions, along with rapid coordination among exchanges, blockchain analytics firms, and law enforcement post-breach to improve containment. The challenge lies in securing not just smart contracts but also their operational perimeters before attackers exploit new vulnerabilities.