Written by: Oluwapelumi Adejumo

Translated by: Chopper, Foresight News

In less than three weeks, a hacker group associated with North Korea has stolen over $500 million from cryptocurrency DeFi platforms, with the hackers shifting their attack focus from core smart contracts to vulnerabilities in peripheral infrastructure.

Drift and KelpDAO Attacked

The two significant attacks on Drift Protocol and KelpDAO have pushed North Korean hackers' illicit cryptocurrency earnings to over $700 million this year. The massive losses highlight their tactical shift: increasingly utilizing complex vulnerabilities and deep infiltration to bypass standard security defenses.

On April 20, cross-chain infrastructure provider LayerZero confirmed that KelpDAO was attacked on April 18, resulting in a loss of approximately $290 million, making it the largest single cryptocurrency theft of 2026 so far. The company stated that preliminary forensics pointed directly to TraderTraitor—a specialized group within North Korea's infamous Lazarus Group.

Just weeks earlier on April 1, the Solana-based decentralized perpetual contract exchange Drift Protocol had about $286 million stolen. Blockchain intelligence firm Elliptic quickly associated on-chain laundering techniques, transaction sequences, and network signatures with known North Korean attack paths, noting that this was the 18th such incident tracked this year.

Shift in Attack: Infiltrating Peripheral Infrastructure

The techniques used in the April attacks demonstrate that North Korean hackers' attacks on DeFi are becoming more sophisticated. They are no longer directly assaulting core smart contracts but are instead searching for and exploiting structural edge vulnerabilities.

Taking the KelpDAO attack as an example: the hackers breached the downstream RPC (Remote Procedure Call) infrastructure used by LayerZero Labs' decentralized verification network (DVN). By manipulating these critical data channels, the attackers were able to control the protocol's operation without compromising the core cryptography. LayerZero has disabled the affected nodes and fully restored the DVN, but the financial losses are irretrievable.

This indirect method of attack reveals a frightening evolution in cyber warfare. Blockchain security company Cyvers told CryptoSlate that North Korean-affiliated attackers are becoming increasingly adept, investing more resources in attack preparation and execution.

The company added, "We have also observed that they are always able to pinpoint the most vulnerable links. This time, the breach came through third-party components rather than the core infrastructure of the protocol."

This strategy is highly similar to traditional corporate cyber espionage and indicates that North Korean-related attacks are becoming increasingly difficult to defend against. Recent incidents, such as a widely used Axios npm software package supply chain compromise attributed to the specific North Korean threat group UNC1069, suggest that attackers are systematically sabotaging software before it enters the blockchain ecosystem.

North Korea Infiltrates the Global Cryptocurrency Workforce

In addition to technological breakthroughs, North Korea is currently conducting large-scale, organized penetration into the global cryptocurrency labor market.

The threat model has completely shifted from remote hacking operations to inserting malicious personnel directly into unsuspecting Web3 startups.

The Ketman Project under the Ethereum Foundation's ETH Rangers security initiative conducted a six-month investigation, arriving at a startling conclusion: approximately 100 North Korean cyber operatives are embedded within several blockchain companies. They use forged identities, easily pass standard HR screenings, gain access to sensitive internal code repositories, and silently infiltrate product teams for months or even years before launching precise attacks.

Independent blockchain investigator ZachXBT further confirmed this intelligence agency-style infiltration. He recently exposed a North Korean cyber unit that remotely employs fraudulently obtained identities, earning about $1 million monthly.

This scheme transfers cryptocurrency to fiat through recognized global financial channels and has processed over $3.5 million since the end of 2025.

Industry insiders estimate that North Korea's overall IT personnel deployment generates millions of dollars in revenue each month. This provides North Korea with a dual income stream: stable salary income + substantial protocol theft assisted by internal personnel.

$6.75 Billion Total Theft Amount

The scale of North Korea's digital asset operations far exceeds that of any traditional cybercrime group. According to blockchain analytics firm Chainalysis, North Korean-affiliated hackers stole a record $2 billion in 2025, accounting for 60% of global cryptocurrency theft that year.

Considering the aggressive attacks this year, the total amount of cryptocurrency stolen by North Korea has reached $6.75 billion.

Once the funds are acquired, the Lazarus Group exhibits a highly specific and localized money laundering pattern: unlike typical cryptocurrency criminals who frequently use DEXs and peer-to-peer lending protocols, North Korean hackers deliberately avoid these channels. On-chain data show that they heavily rely on collateralized trading services in Chinese-speaking areas, deep over-the-counter brokerage networks, and complex cross-chain mixing services. This preference points to structurally constrained, geographically limited monetization channels rather than unrestricted access to the global financial system.

Can It Be Prevented?

Security researchers and industry executives believe prevention is possible, but cryptocurrency companies must address the same operational weaknesses exposed in multiple significant attacks.

Terence Kwok, founder of Humanity, told CryptoSlate that North Korean-affiliated attacks still target common vulnerabilities rather than new forms of network intrusion. He believes that North Korean attackers are improving their intrusion methods and funds transfer capabilities, but the root remains poor access controls and centralized operational risks.

He explained, "It's shocking that losses are still attributed to old problems like access control and single points of failure. This indicates that the industry has yet to resolve core security discipline issues."

Accordingly, Kwok pointed out that the industry's first line of defense is to significantly increase the difficulty of transferring assets, enforcing stricter controls over private keys, internal permissions, and third-party access. In practice, companies need to reduce reliance on individual operators, restrict privileged access, strengthen vendor dependencies, and add more checks between core protocols and the external world.

The second line of defense is speed. Once stolen funds cross chains, bridges, or enter money laundering networks, the probability of recovery sharply declines. Kwok stated that exchanges, stablecoin issuers, blockchain analytics firms, and law enforcement agencies must rapidly collaborate in the first few minutes and hours following an attack to enhance the chances of intercepting the funds.

His comments highlight a reality in the industry: the most vulnerable points in cryptocurrency systems often lie at the intersection of code, personnel, and operations. A single stolen credential, a weak vendor dependency, or a neglected permission vulnerability can result in losses of hundreds of millions of dollars.

The challenge for DeFi is no longer just writing robust smart contracts but securing the operational safety of protocol peripheries before attackers exploit the next weak link.