North Korean hackers plundered $500 million in a single month, becoming the top threat to crypto security

By Oluwapelumi Adejumo

Compiled by: Chopper, Foresight News

In less than three weeks, hacker groups linked to North Korea have stolen more than $500 million from cryptocurrency DeFi platforms. The hackers’ attack entry points have shifted from core smart contracts to vulnerabilities in the periphery of infrastructure.

Drift and KelpDAO Hit

Two major attacks targeting Drift Protocol and KelpDAO have already pushed North Korea-linked hackers’ illicit crypto proceeds this year to more than $700 million. The huge losses highlight their tactical shift: they are increasingly making use of complex vulnerabilities, deeply infiltrating personnel, and bypassing standard security defenses.

On April 20, cross-chain infrastructure provider LayerZero confirmed that KelpDAO was attacked on April 18, with losses of about $290 million, making it the largest single crypto theft to date in 2026. The company said that initial forensics directly point to TraderTraitor— a specialized unit within the notorious Lazarus Group associated with North Korea.

Just weeks earlier, on April 1, the Solana-based decentralized perpetual contract exchange Drift Protocol was stolen for about $286 million. Blockchain intelligence firm Elliptic quickly linked on-chain money-laundering techniques, transaction sequences, and network signatures to known North Korea attack paths, and noted that this is the 18th similar incident it has tracked this year.

Shift in Attacks: Penetrating the Infrastructure Periphery

The tactics used in the April attacks show that North Korean hackers’ attacks on DeFi are becoming more mature. They are no longer directly brute-forcing core smart contracts; instead, they are looking for and attacking structural edge vulnerabilities.

Take the KelpDAO attack as an example: the hackers compromised the downstream RPC (remote call) infrastructure used by LayerZero Labs’ decentralized verification network (DVN). By tampering with these critical data channels, the attackers manipulated protocol operations without breaking the core cryptography. LayerZero has disabled the affected nodes and fully restored the DVN, but the financial losses can’t be undone.

This kind of indirect attack reveals a frightening evolution in cyber warfare. Blockchain security firm Cyvers told CryptoSlate that North Korea-linked attackers are becoming increasingly sophisticated and are investing more resources in the preparation and execution of attacks.

The firm added: “We also observe that they can always precisely identify the weakest links. This time, the entry point was third-party components rather than the protocol’s core infrastructure.”

This strategy closely resembles traditional corporate network espionage, and it also means North Korea-related attacks are becoming increasingly difficult to prevent. Recent events—such as Google researchers linking a supply-chain intrusion involving the widely used Axios npm software package to the North Korea-specific threat organization UNC1069—show that attackers are systematically compromising software before it even enters the blockchain ecosystem.

North Korea’s Infiltration of Global Crypto Industry Workers

Besides technical breakthroughs, North Korea is currently carrying out large-scale, organized infiltration into the global cryptocurrency workforce market.

The threat pattern has shifted completely away from remote hacker operations: directly embedding malicious actors into unsuspecting Web3 startups.

After a 6-month investigation conducted by the Ketman Project under the Ethereum Foundation’s ETH Rangers security program, the group reached a startling conclusion: about 100 North Korean cyber operatives are lying in wait inside multiple blockchain companies. They use forged identities, pass standard HR screenings easily, obtain permissions for sensitive internal codebases, quietly infiltrate product teams for months or even years, and then launch targeted attacks.

Independent blockchain investigator ZachXBT further confirmed this intelligence-agency style of infiltration. He recently exposed a North Korean special network that secures remote jobs through fraudulent identities, earning about $1 million per month on average.

This scheme transfers cryptocurrency to fiat currency through approved global financial channels, and since the end of 2025 it has processed more than $3.5 million.

Industry insiders estimate that North Korea’s overall deployment of IT personnel generates several million dollars in monthly revenue on average. This brings North Korea a dual stream of income: steady salary income + massive protocol thefts assisted by insiders.

Total Stolen Amount: $6.75 Billion

North Korea’s digital asset business scale far exceeds that of any traditional cybercrime group. According to blockchain analytics firm Chainalysis: in just 2025, North Korea-linked hackers stole a record $2 billion, accounting for 60% of the total global cryptocurrency theft that year.

Taking into account this year’s fierce attack campaign, the total value of cryptocurrency assets stolen by North Korea in history has reached $6.75 billion.

After getting the funds, Lazarus Group demonstrates a highly specific, regionally focused money-laundering pattern. Unlike ordinary crypto criminals who frequently use DEXs and peer-to-peer lending protocols, North Korean hackers intentionally avoid these channels. On-chain data shows that they rely heavily on Chinese-region escrow transaction services, deep over-the-counter brokerage networks, and complex cross-chain mixing services. This preference points to monetization channels with structural constraints and geographic limits, rather than unrestricted access to the global financial system.

Can It Be Prevented?

Security researchers and industry executives believe it can be prevented, but crypto companies must address the same operational weaknesses exposed across multiple major attacks.

Terence Kwok, founder of Humanity, told CryptoSlate that North Korea-related attacks still point to common vulnerabilities rather than brand-new forms of network intrusion. He believes North Korean attackers are improving their intrusion methods and their ability to move stolen proceeds, but the root causes remain poor access control and centralized operational risk.

He explained: “What’s shocking is that the losses are still blamed on old problems like access control and single points of failure. This shows the industry still hasn’t resolved the foundational security discipline issues.”

Based on this, Kwok pointed out that the industry’s first line of defense is to significantly increase the difficulty of cracking asset transfers, implementing stricter controls over private keys, internal permissions, and third-party access permissions. In practice, companies need to reduce reliance on individual operators, restrict privileged access, harden reliance on vendors, and add more validations to the infrastructure between the core protocol and the outside world.

The second line of defense is speed. Once stolen funds are bridged cross-chain, cross-bridged, or enter money-laundering networks, the probability of recovery drops sharply. Kwok said that exchanges, stablecoin issuers, blockchain analytics firms, and law enforcement agencies must coordinate rapidly within the first few minutes and hours after an attack in order to improve the success rate of intercepting funds.

His remarks underscore an industry reality: the most vulnerable point in crypto systems is often at the intersection of code, personnel, and operations. One stolen credential, one weak vendor dependency, or one overlooked permission vulnerability is enough to lead to losses of hundreds of millions of dollars.

The challenge for DeFi is no longer just writing robust smart contracts—it is to hold the operational security around the protocol before attackers exploit the next weak link.