North Korean Hackers Drove Most Crypto Losses Through Drift and KelpDAO Thefts
North Korea-linked hackers were attributed to two major cryptocurrency thefts in April: the $285 million Drift Protocol breach and the $292 million KelpDAO exploit, which together accounted for 76% of all crypto hack losses recorded through April 2026. TRM Labs said the operations fit Pyongyang’s established pattern of carrying out a small number of highly targeted, high-value intrusions rather than frequent lower-value attacks, pushing cumulative North Korea-attributed crypto theft above $6 billion since 2017.
The two attacks used different intrusion paths and laundering chains. In the Drift case, attackers reportedly spent months on social engineering, abused Solana durable nonce transactions, and leveraged a governance configuration change to drain funds in about 12 minutes. In the KelpDAO theft, the attackers allegedly exploited a single-verifier LayerZero bridge design after compromising internal RPC nodes and using DDoS pressure to force reliance on poisoned data. TRM said the stolen assets then moved along separate routes: Drift funds were bridged to Ethereum and left dormant, while KelpDAO proceeds were partly frozen on Arbitrum and the remainder rapidly flowed through THORChain into Bitcoin in a pattern resembling TraderTraitor operations, reinforcing THORChain’s role as a recurring laundering route in major North Korea-linked crypto heists.
Timeline
Apr 30, 2026
TRM attributes two April crypto mega-heists to North Korea
On April 30, 2026, TRM Labs said the Drift Protocol and KelpDAO attacks were linked to North Korean hackers. Together, the two thefts accounted for 76% of all cryptocurrency hack losses recorded through April 2026.
Apr 1, 2026
Remaining KelpDAO proceeds are laundered via THORChain into Bitcoin
TRM reported that the unfrozen KelpDAO proceeds were rapidly routed through THORChain and converted into Bitcoin, following a TraderTraitor-style liquidation pattern. The report highlighted THORChain as a recurring laundering route in major North Korea-linked crypto thefts.
Apr 1, 2026
Part of KelpDAO stolen funds is frozen on Arbitrum
Following the KelpDAO theft, some of the stolen assets were frozen on Arbitrum. The remaining proceeds were moved onward for laundering.
Apr 1, 2026
Attackers exploit KelpDAO bridge and steal $292 million
In April 2026, North Korean hackers were also attributed to the KelpDAO exploit, which resulted in roughly $292 million in losses. According to TRM, the attackers compromised internal RPC nodes, used DDoS pressure to force reliance on poisoned data, and exploited a single-verifier LayerZero bridge design.
Apr 1, 2026
Drift stolen funds are bridged to Ethereum and left dormant
After the Drift theft, the stolen assets were quickly moved from Solana to Ethereum. TRM said the funds then remained largely dormant rather than being rapidly liquidated.
Apr 1, 2026
Attackers steal $285 million from Drift Protocol
In April 2026, North Korean hackers were attributed to the Drift Protocol breach, which stole about $285 million. The attack abused Solana durable nonce transactions and a governance configuration change, enabling a rapid 12-minute drain.
Feb 1, 2026
North Korea-linked actors begin social engineering Drift targets
TRM Labs reported that the Drift Protocol breach was preceded by months of social engineering activity, indicating a prolonged intrusion phase before the theft was executed.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
Related Stories
North Korean Hackers Blamed for $290 Million Kelp DAO Crypto Theft
More than **$290 million** in cryptocurrency was stolen from **Kelp DAO** after attackers compromised infrastructure used to verify cross-chain messages and exploited the platform’s `rsETH` configuration. According to LayerZero, the intruders abused Kelp’s single-verifier setup rather than a redundant multi-verifier model, allowing them to mint unbacked `rsETH` and use it as collateral to borrow real **Ether** and stablecoins from other platforms, including **Aave**. LayerZero said preliminary indicators point to North Korea’s **TraderTraitor** group, which is linked to the broader **Lazarus** operation. Kelp DAO disputed LayerZero’s account and argued that LayerZero’s own servers were compromised, setting up a public dispute over responsibility for one of the largest crypto thefts reported this year. LayerZero’s post-mortem said the attackers also used **DDoS** activity against backup systems and self-destructing tools to hinder detection and complete the theft. Law enforcement has been notified, Aave is evaluating remediation, and the incident adds to a long-running pattern of DPRK-linked cryptocurrency thefts that investigators say have generated billions of dollars over the past several years.
3 days ago
North Korean State-Sponsored Cryptocurrency Theft Surpasses $2 Billion
North Korean hackers have stolen over $2 billion in cryptocurrency assets in 2025, marking the largest annual total ever attributed to the regime’s cyber operations. The majority of this record-breaking sum was taken in a single attack on the cryptocurrency exchange Bybit in February, where $1.46 billion was stolen. In addition to this major breach, blockchain analytics firm Elliptic has linked North Korean actors to more than thirty other cryptocurrency heists throughout the year. These attacks have targeted both exchanges and high-net-worth individuals, reflecting a shift in tactics by North Korean threat groups. The hackers have increasingly focused on wealthy crypto holders and employees of companies with significant digital asset holdings, exploiting the fact that individuals often have weaker security defenses than organizations. Social engineering has become a primary method, with attackers impersonating recruiters or investors to gain the trust of their targets. One common technique involves setting up fake video calls, during which the victim is tricked into running malicious command-line code, resulting in malware installation and subsequent theft of funds. The hackers have also been observed building elaborate fake profiles and leveraging compromised social media accounts to approach their targets. Notable additional breaches attributed to North Korean groups in 2025 include attacks on LND.fi, WOO X, Seedify, and the Taiwanese exchange BitoPro, with the latter resulting in an $11 million loss. The total amount stolen by North Korean hackers in 2025 is nearly triple the amount reported in 2024 and far exceeds the previous record of $1.35 billion set in 2022. These cyber-enabled thefts are believed to directly fund North Korea’s nuclear weapons program, according to the United Nations and various government agencies. Experts caution that the actual amount stolen may be even higher, as many incidents go unreported or lack sufficient evidence for definitive attribution. Discrepancies in reporting between blockchain analytics firms, such as Elliptic and Chainalysis, further complicate the assessment of the true scale of losses. The trend of targeting individuals, especially those with professional connections to major crypto firms, has made detection and prevention more challenging for standard cybersecurity tools. The sophistication and persistence of North Korean cyber operations underscore the regime’s growing reliance on cryptocurrency theft as a means of circumventing international sanctions and funding state objectives. The ongoing rise in cryptocurrency prices, particularly Bitcoin reaching all-time highs, has made the sector an even more attractive target for these state-sponsored actors. Security experts recommend heightened vigilance and advanced security measures for both organizations and individuals involved in the cryptocurrency ecosystem. The evolving tactics and increasing scale of North Korean cyber thefts highlight the urgent need for improved threat intelligence sharing and coordinated international response.
1 months ago
North Korean State-Backed Crypto Theft and Infrastructure Operations
North Korean state-sponsored threat actors, including the Lazarus Group and Kimsuky, have been responsible for a dramatic surge in global cryptocurrency theft in 2025, stealing at least $2.02 billion—over half of the total $3.4 billion stolen worldwide. The February compromise of the Bybit cryptocurrency exchange accounted for $1.5 billion of these losses, with the attack attributed to the TraderTraitor cluster, and further links established through malware infrastructure analysis. Lazarus Group, affiliated with North Korea's Reconnaissance General Bureau, has also been implicated in the theft of $36 million from Upbit and is estimated to have stolen over $6.75 billion cumulatively through a series of high-profile heists and campaigns. Recent collaborative research by Hunt.io and the Acronis Threat Research Unit has uncovered new operational infrastructure used by both Lazarus and Kimsuky across global campaigns. The investigation revealed active tool-staging servers, credential theft environments, and tunneling nodes, highlighting the interconnected nature of DPRK cyber operations. Despite evolving malware and tactics, these groups consistently reuse infrastructure, making their activities traceable across campaigns. The findings provide defenders with actionable intelligence on the infrastructure patterns and operational habits of North Korean threat actors, supporting efforts to detect and disrupt ongoing and future attacks.
1 months ago