North Korea’s playbook for stealing digital assets appears to be widening, with two large decentralised finance breaches in April draining more than half a billion dollars in little over two weeks and deepening concern that what once looked like scattered attacks now resembles a more sustained offensive against crypto infrastructure. Investigators and market participants have linked the earlier Drift Protocol exploit to North Korean operators, while the later Kelp DAO breach has also been tied by infrastructure and forensic specialists to actors associated with Lazarus, the hacking apparatus long blamed for the state’s biggest crypto thefts.
The first blow landed on April 1, when Drift Protocol, a major Solana-based DeFi venue, was stripped of about $285 million to $286 million in user assets. The theft stood out not only for its scale but for the method: investigators said the attackers did not rely simply on code flaws or brute-force intrusion, but on a prolonged trust-building effort that included fabricated identities, commercial courtship and manipulation of governance and collateral systems. Analysts tracking the flows said the behaviour, laundering patterns and wider tradecraft were consistent with earlier operations attributed to Pyongyang.
Less than three weeks later, Kelp DAO suffered an even larger hit of roughly $290 million to $292 million through its rsETH bridge setup, pushing April’s cumulative losses from the two incidents above $575 million. Initial accounts indicated the attacker forged cross-chain messaging after compromising elements of the verifier infrastructure and exploiting a configuration that depended on a single validation pathway. Security specialists said that architecture sharply reduced redundancy and left the system vulnerable if the trusted channel was subverted.
Taken together, the two episodes have intensified a debate already running through digital-asset markets: whether DeFi’s core promise of speed, openness and composability has again outrun its operational security. The Drift case suggested that human deception, fake counterparties and insider-style access can be just as dangerous as smart-contract bugs. The Kelp breach, by contrast, highlighted the risks of brittle cross-chain design and concentration in trust assumptions. Different attack paths, but the same result: very large pools of capital moved quickly with little immediate recourse once defences failed.
The geopolitical dimension is what makes the pattern especially unsettling. North Korean cyber actors have been accused for years of treating crypto theft as a strategic revenue stream, and official US statements have said proceeds from such operations help finance the country’s sanctioned state apparatus, including weapons-related programmes. Data compiled by blockchain investigators show North Korea-linked groups stole between roughly $1.9 billion and $2.02 billion in cryptocurrency during 2025 alone, accounting for about 60 per cent of global crypto theft that year by some estimates.
That backdrop helps explain why April’s losses are being read as more than another bad month for crypto security. The concern is not merely that DeFi remains hackable; it is that large thefts may be converging with a more industrial model of state-linked cyber finance. Researchers have described a shift towards fewer but larger incidents, often supported by social engineering, fake employment histories, front identities, outsourced laundering channels and rapid movement of funds across multiple chains. Drift’s months-long deception campaign fitted that template with unusual clarity.
The market effect has spread beyond the directly hit protocols. Drift moved to suspend activity and later pursued a relaunch backed by fresh funding, while the Kelp exploit triggered wider concern around spillover risk, bridge security and the knock-on impact on lending venues exposed to related collateral. That contagion risk matters because DeFi systems are tightly interconnected; weakness in one protocol can rapidly migrate into pricing stress, liquidity strain and bad-debt fears elsewhere. A sector that has promoted transparency and programmability is being forced to confront how quickly those same qualities can transmit damage.
The first blow landed on April 1, when Drift Protocol, a major Solana-based DeFi venue, was stripped of about $285 million to $286 million in user assets. The theft stood out not only for its scale but for the method: investigators said the attackers did not rely simply on code flaws or brute-force intrusion, but on a prolonged trust-building effort that included fabricated identities, commercial courtship and manipulation of governance and collateral systems. Analysts tracking the flows said the behaviour, laundering patterns and wider tradecraft were consistent with earlier operations attributed to Pyongyang.
Less than three weeks later, Kelp DAO suffered an even larger hit of roughly $290 million to $292 million through its rsETH bridge setup, pushing April’s cumulative losses from the two incidents above $575 million. Initial accounts indicated the attacker forged cross-chain messaging after compromising elements of the verifier infrastructure and exploiting a configuration that depended on a single validation pathway. Security specialists said that architecture sharply reduced redundancy and left the system vulnerable if the trusted channel was subverted.
Taken together, the two episodes have intensified a debate already running through digital-asset markets: whether DeFi’s core promise of speed, openness and composability has again outrun its operational security. The Drift case suggested that human deception, fake counterparties and insider-style access can be just as dangerous as smart-contract bugs. The Kelp breach, by contrast, highlighted the risks of brittle cross-chain design and concentration in trust assumptions. Different attack paths, but the same result: very large pools of capital moved quickly with little immediate recourse once defences failed.
The geopolitical dimension is what makes the pattern especially unsettling. North Korean cyber actors have been accused for years of treating crypto theft as a strategic revenue stream, and official US statements have said proceeds from such operations help finance the country’s sanctioned state apparatus, including weapons-related programmes. Data compiled by blockchain investigators show North Korea-linked groups stole between roughly $1.9 billion and $2.02 billion in cryptocurrency during 2025 alone, accounting for about 60 per cent of global crypto theft that year by some estimates.
That backdrop helps explain why April’s losses are being read as more than another bad month for crypto security. The concern is not merely that DeFi remains hackable; it is that large thefts may be converging with a more industrial model of state-linked cyber finance. Researchers have described a shift towards fewer but larger incidents, often supported by social engineering, fake employment histories, front identities, outsourced laundering channels and rapid movement of funds across multiple chains. Drift’s months-long deception campaign fitted that template with unusual clarity.
The market effect has spread beyond the directly hit protocols. Drift moved to suspend activity and later pursued a relaunch backed by fresh funding, while the Kelp exploit triggered wider concern around spillover risk, bridge security and the knock-on impact on lending venues exposed to related collateral. That contagion risk matters because DeFi systems are tightly interconnected; weakness in one protocol can rapidly migrate into pricing stress, liquidity strain and bad-debt fears elsewhere. A sector that has promoted transparency and programmability is being forced to confront how quickly those same qualities can transmit damage.
Topics
Cryptocurrency