Zerion and KelpDAO link security incidents to DPRK TraderTraitor activity
Zerion published a security incident post-mortem, and LayerZero later issued a KelpDAO incident statement, with both incidents being publicly tied in threat-intelligence discussion to DPRK activity. Social-media reporting around the disclosures specifically associated the KelpDAO case with TraderTraitor, the North Korean cluster known for targeting cryptocurrency and Web3 organizations through social engineering and wallet compromise.
The available references do not provide technical indicators, loss figures, or a detailed attack chain, but they place both disclosures in the context of crypto-focused intrusions attributed to North Korean operators. For CISOs in digital-asset, DeFi, and wallet ecosystems, the incidents reinforce the ongoing risk from DPRK-linked campaigns that exploit trusted workflows, third-party relationships, and user-facing transaction processes to gain access and move funds.
Timeline
Apr 24, 2026
Analysis reports laundering of $292M tied to KelpDAO theft
A referenced article titled "Where did the kelp $292m go? anatomy of a $292m laundering" reported on laundering activity involving $292 million linked to the KelpDAO incident. The available post provides no further technical details, but it indicates a broader accounting of stolen-fund movement than earlier reports of transfers to new addresses.
Apr 22, 2026
KelpDAO attacker reportedly moves $175M to new addresses
An Arkm research item shared on Bluesky reported that funds linked to the KelpDAO hacker were transferred to new cryptocurrency addresses. The reported movement involved $175 million and occurred on 2026-04-22, indicating post-incident laundering or fund relocation activity.
Apr 21, 2026
KelpDAO publishes additional context on April 18 incident
KelpDAO published an item titled 'April 18 Incident: Additional Context,' indicating a follow-up disclosure about the incident. The available reference does not provide substantive technical or impact details beyond the existence of this additional context statement.
Apr 20, 2026
LayerZero publishes KelpDAO incident statement
LayerZero published a "KelpDAO Incident Statement" referenced in a 2026-04-20 Bluesky post. The post's hashtags suggest a cybersecurity incident possibly linked to DPRK-related threat activity, but no substantive incident details are provided in the available content.
Apr 15, 2026
Zerion publishes security incident post-mortem
Zerion published a "Security Incident: Post Mortem" referenced in a 2026-04-15 Bluesky post. The available content does not provide further details on the incident, impact, or attribution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
5 more from sources like lazarusholic bluesky
Related Stories
North Korean Hackers Blamed for $290 Million Kelp DAO Crypto Theft
More than **$290 million** in cryptocurrency was stolen from **Kelp DAO** after attackers compromised infrastructure used to verify cross-chain messages and exploited the platform’s `rsETH` configuration. According to LayerZero, the intruders abused Kelp’s single-verifier setup rather than a redundant multi-verifier model, allowing them to mint unbacked `rsETH` and use it as collateral to borrow real **Ether** and stablecoins from other platforms, including **Aave**. LayerZero said preliminary indicators point to North Korea’s **TraderTraitor** group, which is linked to the broader **Lazarus** operation. Kelp DAO disputed LayerZero’s account and argued that LayerZero’s own servers were compromised, setting up a public dispute over responsibility for one of the largest crypto thefts reported this year. LayerZero’s post-mortem said the attackers also used **DDoS** activity against backup systems and self-destructing tools to hinder detection and complete the theft. Law enforcement has been notified, Aave is evaluating remediation, and the incident adds to a long-running pattern of DPRK-linked cryptocurrency thefts that investigators say have generated billions of dollars over the past several years.
3 days ago
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
Yesterday
Suspected DPRK Activity Tied to Drift Protocol Breach and EtherRAT Delivery Campaign
Drift Protocol disclosed that a malicious actor gained unauthorized access to its environment, according to a post amplified by cyber threat intelligence account **lazarusholic**. Public details remain limited, and the available reporting does not specify the intrusion vector, affected systems, or operational impact, but the incident has drawn attention in CTI circles because of possible links to **DPRK**-associated activity. Separately, researchers at **PhatomCandle** reported a highly stealthy campaign using spoofed IT tools to deliver **EtherRAT**, with suspected ties to a North Korean advanced persistent threat. The two reports point to ongoing interest in financially and operationally motivated intrusions associated with suspected DPRK actors, spanning both direct compromise of crypto-related platforms and malware distribution through deceptive tooling.
3 weeks ago