Written by: Oluwapelumi Adejumo
Compiled by: Chopper, Foresight News
In less than three weeks, hacker groups linked to North Korea have stolen over $500 million from cryptocurrency DeFi platforms, shifting their attack vectors from core smart contracts to vulnerabilities in the infrastructure's periphery.
Attacks on Drift and KelpDAO
Two major attacks targeting Drift Protocol and KelpDAO have pushed the illicit cryptocurrency gains of North Korean hackers this year past $700 million. The massive losses highlight a tactical shift: they are increasingly exploiting complex vulnerabilities and deep personnel penetration to bypass standard security defenses.
On April 20th, cross-chain infrastructure provider LayerZero confirmed that KelpDAO was attacked on April 18th, resulting in a loss of approximately $290 million, making it the largest single crypto theft case so far in 2026. The company stated that preliminary forensics directly point to TraderTraitor—a specialized unit within North Korea's notorious Lazarus Group.
Just weeks earlier, on April 1st, the Solana-based decentralized perpetual exchange Drift Protocol was robbed of approximately $286 million. Blockchain intelligence firm Elliptic quickly linked the on-chain money laundering techniques, transaction sequences, and network signatures to known North Korean attack patterns, noting this was the 18th similar incident they have tracked this year.
Attack Shift: Infiltrating the Infrastructure Periphery
The methods used in the April attacks demonstrate the increasing sophistication of North Korean hackers' attacks on DeFi. They are no longer directly assaulting core smart contracts but are instead finding and attacking structural edge vulnerabilities.
Taking the KelpDAO attack as an example: the hackers compromised the downstream RPC (Remote Procedure Call) infrastructure used by LayerZero Labs' Decentralized Verification Network (DVN). By tampering with these critical data channels, the attackers manipulated the protocol's operation without breaching the core cryptography. LayerZero has disabled the affected nodes and fully restored the DVN, but the financial losses are irreversible.
This indirect method of attack reveals a frightening evolution in cyber warfare. Blockchain security company Cyvers told CryptoSlate that North Korean-linked attackers are becoming more sophisticated, investing more resources in attack preparation and execution.
The company added: "We also observe that they always manage to pinpoint the weakest link precisely. This time, the entry point was a third-party component, not the protocol's core infrastructure."
This strategy is highly similar to traditional corporate cyber espionage and also means that North Korean-linked attacks are becoming increasingly difficult to prevent. Recent events, such as Google researchers linking the supply chain compromise of the widely used Axios npm software package to the specific North Korean threat group UNC1069, indicate that attackers are systematically sabotaging software before it even enters the blockchain ecosystem.
North Korea Infiltrates Global Crypto Industry Practitioners
Beyond technical breakthroughs, North Korea is also conducting a large-scale, organized infiltration of the global cryptocurrency labor market.
The threat model has shifted completely from remote hacking operations to placing malicious personnel directly into unsuspecting Web3 startups.
A six-month investigation by the Ketman Project under the Ethereum Foundation's ETH Rangers security program reached a startling conclusion: approximately 100 North Korean cyber operatives are潜伏 (latent - *Note: The original Chinese term "潜伏" is kept here for accuracy, but the intended meaning is "lying dormant" or "embedded") within various blockchain companies. They use forged identities, easily pass standard HR screenings, obtain access to sensitive internal code repositories, lie dormant within product teams for months or even years, and then launch precise attacks.
Independent blockchain investigator ZachXBT further confirmed this intelligence agency-style潜伏 (dormancy). He recently exposed a North Korean special network that generates approximately $1 million per month through remote employment using fraudulent identities.
This scheme processes cryptocurrency-to-fiat transfers through recognized global financial channels and has handled over $3.5 million since late 2025.
According to industry insiders, the overall deployed IT personnel by North Korea generate millions of dollars in revenue monthly. This provides North Korea with a dual income stream: stable salary income + massive protocol thefts assisted by insiders.
$6.75 Billion Total Theft
The scale of North Korea's digital asset operations far surpasses any traditional cybercrime group. According to blockchain analytics firm Chainalysis: in 2025 alone, North Korean-linked hackers stole a record $2 billion, accounting for 60% of the global cryptocurrency theft total that year.
Considering the fierce attacks this year, the total value of crypto assets stolen by North Korea throughout history has reached $6.75 billion.
Once funds are acquired, the Lazarus Group exhibits a highly specific, regionalized money laundering pattern: unlike ordinary crypto criminals who frequently use DEXs and peer-to-peer lending protocols, North Korean hackers deliberately avoid these channels. On-chain data shows they heavily rely on escrow services in Chinese-speaking regions, deep over-the-counter (OTC) broker networks, and complex cross-chain mixing services. This preference points to structural limitations and geographically constrained cashing-out channels, rather than unrestricted access to the global financial system.
Can It Be Prevented?
Security researchers and industry executives believe it can be prevented, but crypto companies must address the same operational weaknesses exposed in multiple major attacks.
Humanity founder Terence Kwok told CryptoSlate that North Korean-linked attacks still point to common vulnerabilities, not new forms of cyber intrusion. He believes North Korean attackers are improving their intrusion methods and illicit fund transfer capabilities, but the root cause remains poor access control and centralized operational risks.
He explained: "What's shocking is that the losses are still attributed to old problems like access control and single points of failure. This shows the industry still hasn't solved the problem of basic security discipline."
Based on this, Kwok pointed out that the industry's first line of defense is to significantly increase the difficulty of unauthorized asset transfers by implementing stricter controls on private keys, internal permissions, and third-party access rights. In practice, companies need to reduce reliance on individual operators, restrict privileged access, harden supplier dependencies, and add more verification checks to the infrastructure between core protocols and the external world.
The second line of defense is speed. Once stolen funds cross chains, bridges, or enter money laundering networks, the probability of recovery drops sharply. Kwok stated that exchanges, stablecoin issuers, blockchain analysis companies, and law enforcement agencies must collaborate extremely quickly in the first few minutes and hours after an attack to increase the success rate of fund interception.
His words highlight an industry reality: the most fragile points of crypto systems are often at the intersection of code, personnel, and operations. A stolen credential, a weak supplier dependency, or an overlooked permission vulnerability is enough to cause losses amounting to hundreds of millions of dollars.
The challenge for DeFi is no longer just writing robust smart contracts, but defending the operational security at the protocol's periphery before attackers exploit the next weak link.
