Suspected North Korean operatives have now siphoned at least $578 million from DeFi protocols in April 2026 alone, according to attribution from LayerZero and on-chain investigator Tanuki42. Both of the monthโs two largest heists, Drift Protocol on April 1 and KelpDAO on April 18, have been tied to TraderTraitor, a subunit of the state-backed Lazarus Group.
The scale of the campaign is not the most striking part. The tactical versatility is. The Drift attack was a patient social engineering operation that took more than five months to set up. The KelpDAO exploit was a technical compromise of bridge infrastructure that unfolded in under an hour. Same group, radically different playbooks, back to back.
Two Attacks, Two Completely Different Methods
The timeline and mechanics of the April operations show how much the DPRKโs crypto playbook has evolved.
| Target | Date | Amount Stolen | Attack Vector | How They Got In |
|---|---|---|---|---|
| Drift Protocol | April 1 | $285 million | Social engineering | Fake quant firm relationship built over five months |
| KelpDAO | April 18 | $293 million | Infrastructure exploit | Compromised RPC nodes on LayerZero bridge |
| April total | 18 days | $578 million | Two methods | Same group, radically different tactics |
The Drift attack reads like a spy novel. North Korean operatives posed as a legitimate quant trading firm, deposited $1 million of their own capital into the protocol to establish credibility, and spent months meeting Drift contributors in person at industry conferences. The relationship was nearly six months old when the theft launched on April Foolsโ Day. The technical execution took 12 minutes. The setup took the better part of a year.
The KelpDAO attack did not require any of that. Attackers compromised the RPC infrastructure feeding LayerZeroโs verifier network, poisoned two nodes, and DDoSโd a third. KelpDAO had used a single-verifier configuration on its bridge despite repeated warnings from LayerZero to adopt a multi-verifier setup. The system validated the forged cross-chain messages and paid out 116,500 rsETH before anyone noticed.
The Aave Contagion That Made It Worse
Neither attack stayed contained. The Drift heist briefly froze Solanaโs largest perpetual futures venue and led to a $147.5 million recovery package coordinated by Tether. The KelpDAO heist was worse. The attackers deposited the stolen rsETH as collateral on Aave and borrowed clean WETH against it, leaving the lending protocol with $196 million in unrecoverable bad debt.
A bank run followed. Aave processed roughly $8.45 billion in withdrawals over 48 hours, with total value locked dropping from $26.4 billion to around $18 billion. Justin Sun alone pulled $154 million in ETH out of the protocol. The broader DeFi sector lost more than $13 billion in TVL across the two days following the breach.
Why Crypto Has Become a National Revenue Line
The April numbers sit inside a much larger story. Chainalysis recorded a record $2.02 billion stolen by North Korean hackers in 2025, bringing the all-time total to $6.75 billion. UN investigators estimate the country brought in roughly $3 billion from crypto attacks between 2017 and 2023. US officials have consistently said the proceeds fund Pyongyangโs weapons programs.
In March, the US Treasury Department sanctioned six individuals and two entities for their roles in North Korean IT worker fraud schemes. The FBI issued guidance last summer recommending that employers verify professional history and require in-person meetings before hiring remote developers. The Drift attack happened anyway, through precisely the kind of relationship those warnings were meant to prevent.
Security firm Chainalysis and LayerZero both note that the speed of iteration is what distinguishes the 2026 campaign. TraderTraitor deployed social engineering, infrastructure compromise, and a new macOS malware kit called Mach-O Man all within the same month. Each vector targets a different part of the crypto stack, and the kit is already being used by other cybercrime groups beyond Lazarus.
The Uncomfortable Lesson for DeFi
The through-line between Drift and KelpDAO is that neither attack broke cryptography. Driftโs smart contracts worked as designed. KelpDAOโs verifier signed what it was asked to sign. In both cases, the systems did exactly what their architecture told them to do, and the architecture had blind spots the operators had been warned about.
As David Schwed of SVRN put it, a signed lie is still a lie. Signatures guarantee authorship, not truth. That distinction is the one protocol designers kept assuming did not matter in practice, and two attacks in 18 days proved it does.
For users, the immediate takeaway is that protocol selection alone no longer protects capital. A restaking protocol can lose funds because its bridge configuration was flagged as unsafe and the warning was ignored. A derivatives venue can lose funds because a pre-signed transaction from a trusted counterparty turned out to be a state actor in disguise. Diversification across protocols, smaller positions in unaudited bridges, and a cold wallet for anything not actively in use are the practical defenses that still work when everything else gets compromised.
