Zerion and KelpDAO link security incidents to DPRK TraderTraitor activity
Zerion published a security incident post-mortem, and LayerZero later issued a KelpDAO incident statement, with both incidents being publicly tied in threat-intelligence discussion to DPRK activity. Social-media reporting around the disclosures specifically associated the KelpDAO case with TraderTraitor, the North Korean cluster known for targeting cryptocurrency and Web3 organizations through social engineering and wallet compromise.
The available references do not provide technical indicators, loss figures, or a detailed attack chain, but they place both disclosures in the context of crypto-focused intrusions attributed to North Korean operators. For CISOs in digital-asset, DeFi, and wallet ecosystems, the incidents reinforce the ongoing risk from DPRK-linked campaigns that exploit trusted workflows, third-party relationships, and user-facing transaction processes to gain access and move funds.
How this story unfolded
7 events from the earliest known activity through the most recent confirmed update.
Zerion publishes security incident post-mortem
Zerion published a "Security Incident: Post Mortem" referenced in a 2026-04-15 Bluesky post. The available content does not provide further details on the incident, impact, or attribution.
LayerZero publishes KelpDAO incident statement
LayerZero published a "KelpDAO Incident Statement" referenced in a 2026-04-20 Bluesky post. The post's hashtags suggest a cybersecurity incident possibly linked to DPRK-related threat activity, but no substantive incident details are provided in the available content.
KelpDAO publishes additional context on April 18 incident
KelpDAO published an item titled 'April 18 Incident: Additional Context,' indicating a follow-up disclosure about the incident. The available reference does not provide substantive technical or impact details beyond the existence of this additional context statement.
KelpDAO attacker reportedly moves $175M to new addresses
An Arkm research item shared on Bluesky reported that funds linked to the KelpDAO hacker were transferred to new cryptocurrency addresses. The reported movement involved $175 million and occurred on 2026-04-22, indicating post-incident laundering or fund relocation activity.
Analysis reports laundering of $292M tied to KelpDAO theft
A referenced article titled "Where did the kelp $292m go? anatomy of a $292m laundering" reported on laundering activity involving $292 million linked to the KelpDAO incident. The available post provides no further technical details, but it indicates a broader accounting of stolen-fund movement than earlier reports of transfers to new addresses.
KelpDAO publishes LayerZero bridge hack clarification
KelpDAO published a statement titled "Setting the Record Straight Around the LayerZero Bridge Hack," indicating a further official clarification related to the incident. The available reference does not provide substantive new technical, impact, or attribution details beyond the existence of this follow-up statement.
LayerZero publishes follow-up update on KelpDAO incident
A Bluesky post on 2026-05-09 references a publication titled "LayerZero Update" by LayerZero. The available content does not include the substance of the update, but it indicates a new official follow-up communication related to the KelpDAO/LayerZero incident.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Post by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Hackers Blamed for $290 Million Kelp DAO Crypto Theft
More than **$290 million** in cryptocurrency was stolen from **Kelp DAO** after attackers compromised infrastructure used to verify cross-chain messages and exploited the platform’s `rsETH` configuration. According to LayerZero, the intruders abused Kelp’s single-verifier setup rather than a redundant multi-verifier model, allowing them to mint unbacked `rsETH` and use it as collateral to borrow real **Ether** and stablecoins from other platforms, including **Aave**. LayerZero said preliminary indicators point to North Korea’s **TraderTraitor** group, which is linked to the broader **Lazarus** operation. Kelp DAO disputed LayerZero’s account and argued that LayerZero’s own servers were compromised, setting up a public dispute over responsibility for one of the largest crypto thefts reported this year. LayerZero’s post-mortem said the attackers also used **DDoS** activity against backup systems and self-destructing tools to hinder detection and complete the theft. Law enforcement has been notified, Aave is evaluating remediation, and the incident adds to a long-running pattern of DPRK-linked cryptocurrency thefts that investigators say have generated billions of dollars over the past several years.
May 13, 2026
North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the **$285 million Drift Protocol breach** and the **$292 million KelpDAO exploit**, which together accounted for **76% of all crypto hack losses recorded through April 2026**. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above **$6 billion since 2017**. The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused **Solana durable nonce transactions**, and leveraged a governance configuration change to drain funds in about **12 minutes**. In the KelpDAO theft, the attackers allegedly exploited a **single-verifier LayerZero bridge** design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through **THORChain** into Bitcoin in a pattern resembling **TraderTraitor** operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
May 1, 2026
Suspected DPRK Activity Tied to Drift Protocol Breach and EtherRAT Delivery Campaign
Drift Protocol disclosed that a malicious actor gained unauthorized access to its environment, according to a post amplified by cyber threat intelligence account **lazarusholic**. Public details remain limited, and the available reporting does not specify the intrusion vector, affected systems, or operational impact, but the incident has drawn attention in CTI circles because of possible links to **DPRK**-associated activity. Separately, researchers at **PhatomCandle** reported a highly stealthy campaign using spoofed IT tools to deliver **EtherRAT**, with suspected ties to a North Korean advanced persistent threat. The two reports point to ongoing interest in financially and operationally motivated intrusions associated with suspected DPRK actors, spanning both direct compromise of crypto-related platforms and malware distribution through deceptive tooling.
Apr 9, 2026