North Korea hit crypto for $500M+ this month — and the $6.75 billion threat is not over yet
In just below three weeks, cyber operatives linked to the Democratic People’s Republic of Korea (DPRK) have stolen greater than $500 million from crypto DeFi platforms.
This marks a drastic escalation in Pyongyang’s state-sponsored marketing campaign to bankroll its weapons applications by means of cryptocurrency theft.
Drift and KelpDAO drive North Korea’s over $500 million DeFi exploits
Notably, the twin devastating exploits targeting the Drift Protocol and KelpDAO have pushed North Korea’s illicit crypto haul for the yr nicely previous the $700 million mark.
The staggering losses underscore a shift in techniques by Kim Jong Un’s cyber military, which is more and more weaponizing advanced supply-chain vulnerabilities and executing deep-cover human infiltration to bypass commonplace safety perimeters.
On April 20, cross-chain infrastructure supplier LayerZero confirmed that KelpDAO suffered an exploit leading to the lack of roughly $290 million. The breach, which occurred on April 18, now stands as the largest single crypto hack of 2026.
The agency said that preliminary forensics level on to TraderTraitor, a specialised cell working inside North Korea’s notorious Lazarus Group.
Just weeks earlier, on April 1, the Solana-based decentralized perpetual futures change Drift Protocol was drained of an estimated $286 million.
Blockchain intelligence agency Elliptic swiftly related the on-chain laundering methodologies, transaction sequencing, and network-level signatures to beforehand established DPRK attack vectors, noting it was the 18th such incident the agency had tracked this yr alone.
Exploiting the infrastructure periphery
The methodology behind the April assaults reveals a maturation in how state-sponsored hackers goal decentralized finance (DeFi). Instead of attacking hardened core good contracts head-on, operatives are figuring out and exploiting the structural periphery.
In the case of the KelpDAO attack, LayerZero explained that the hackers compromised the downstream Remote Procedure Call (RPC) infrastructure utilized by the LayerZero Labs Decentralized Verifier Network (DVN).
By poisoning these important information pathways, the attackers manipulated the protocol’s operations with out compromising its core cryptography. LayerZero has since deprecated the affected nodes and totally restored DVN operations, however the monetary injury had already been finalized.
This oblique method highlights a terrifying evolution in cyber warfare.
Blockchain safety agency Cyvers informed CryptoSlate that North Korea-linked attackers are exhibiting elevated sophistication and investing extra sources, each in preparation and execution, to hold out their malicious assaults.
The agency added:
“We additionally observe how they constantly discover the weakest hyperlink. In this case, it was a 3rd social gathering reasonably than the protocol’s core infrastructure.”
The technique closely mirrors conventional company cyberespionage and exhibits that DPRK-linked breaches have been turning into more durable to cease.
Recent incidents, akin to the supply-chain compromise of the broadly used Axios npm software program package deal, which Google researchers linked to a definite DPRK threat actor dubbed UNC1069, exhibit an ongoing, methodical effort to poison the nicely earlier than the software program even reaches the blockchain ecosystem.
North Korea infiltrates crypto workforce
Beyond technical exploits, North Korea is presently executing an enormous, coordinated infiltration of the world crypto labor market.
The threat mannequin has essentially shifted from distant hacking campaigns to putting malicious insiders straight onto the payrolls of unsuspecting Web3 startups.
A grueling six-month investigation by the Ketman Project, an initiative working beneath the Ethereum Foundation’s ETH Rangers safety program, just lately concluded with startling findings: roughly 100 North Korean cyber operatives are presently embedded inside numerous blockchain firms.
Operating beneath fabricated identities, these refined IT employees routinely cross commonplace human sources screenings, acquire entry to delicate inside code repositories, and sit quietly inside product groups for months, and even years, earlier than initiating a calculated assault.
This intelligence-agency-style endurance was additional corroborated by unbiased blockchain investigator ZachXBT.
He just lately uncovered a specialised DPRK community that has been producing roughly $1 million a month by utilizing fraudulent personas to safe distant work.
This particular scheme funnels crypto-to-fiat transfers by means of sanctioned world monetary channels and has processed over $3.5 million since late 2025.
Industry estimates counsel that Pyongyang’s broader deployment of IT workers generates a number of seven-figure sums month-to-month.
This creates a dual-pronged income stream for the regime: the regular accumulation of fraudulent wages, paired with the catastrophic windfalls of insider-facilitated protocol exploits.
North Korea’s laundering Networks and macroeconomic survival
The sheer scale of North Korea’s digital asset operations dwarfs that of any conventional cybercriminal syndicate.
According to blockchain analytics agency Chainalysis, DPRK-linked hackers stole a report $2 billion in 2025 alone, accounting for a staggering 60% of all world cryptocurrency thefts that yr. That determine was closely bolstered by a devastating $1.5 billion raid on the Bybit exchange in February 2025.
Factoring in this yr’s brutal marketing campaign, North Korea’s all-time crypto-asset haul is estimated at $6.75 billion.
Once the funds are stolen, Lazarus Group operatives exhibit extremely particular, regionalized laundering patterns. Unlike abnormal crypto criminals who ceaselessly make the most of decentralized exchanges (DEXs) and peer-to-peer lending protocols, DPRK actors actively keep away from them.
Instead, on-chain information reveals a heavy reliance on Chinese-language assure companies, deep over-the-counter (OTC) dealer networks, and advanced cross-chain mixing companies.
This particular desire factors to structural constraints and deeply established, geographically restricted off-ramps reasonably than broad, unrestricted entry to the world monetary system.
Can these assaults be prevented?
Security researchers and business executives say the reply is sure, however provided that crypto companies deal with the identical operational weaknesses that proceed to floor in main breaches.
Terence Kwok, founding father of Humanity, informed CryptoSlate that the sample behind many of those North Korea-linked losses nonetheless factors to acquainted weaknesses reasonably than solely new types of cyber intrusion.
In his view, North Korean actors are enhancing each their entry strategies and their means to maneuver stolen funds, however the injury typically nonetheless traces again to poor entry controls and concentrated operational threat.
He defined:
“What’s putting is how typically the injury nonetheless comes right down to the identical weak factors round entry management and single factors of failure. That tells you the business nonetheless has some primary safety self-discipline points it has not solved.”
Considering this, Kwok said that the business’s first line of protection is to make asset motion materially more durable to compromise. That means imposing tighter controls over non-public keys, inside permissions, and third-party entry throughout the software program stack.
In apply, that will require companies to cut back reliance on particular person operators, restrict privileged entry, harden vendor dependencies, and construct extra checks round the infrastructure that sits between core protocols and the outdoors world.
The second precedence is pace. Once stolen funds start shifting throughout chains, by means of bridges, or into laundering networks, the possibilities of restoration fall sharply. Kwok stated exchanges, stablecoin issuers, blockchain analytics companies, and legislation enforcement companies must coordinate far quicker throughout the first minutes and hours after a breach in the event that they wish to enhance containment.
His feedback level to a broader actuality for the sector.
Crypto techniques are sometimes hardest to defend the place code, folks, and operations meet. A compromised credential, a weak vendor dependency, or an ignored permissions failure can create a gap giant sufficient to empty a whole lot of thousands and thousands of {dollars}.
The problem for DeFi is not simply writing resilient good contracts. It is securing the operational perimeter round them earlier than attackers exploit the subsequent weak hyperlink.
The submit North Korea hit crypto for $500M+ this month — and the $6.75 billion threat is not over yet appeared first on CryptoSlate.
