North Korea Steals Over $500 Million in Crypto This Month: How DPRK’s Cyber Attacks Are Evolving

DPRK Cyber Operatives Steal Over $500 Million in Crypto This Month

In less than three weeks, cyber operatives linked to the Democratic People’s Republic of Korea (DPRK) have stolen more than $500 million from cryptocurrency decentralized finance (DeFi) platforms. This marks a significant escalation in Pyongyang’s state-sponsored campaign to finance its weapons programs through cryptocurrency theft.

Twin Exploits Push North Korea’s 2026 Crypto Theft Past $700 Million

The devastating exploits targeting the Drift Protocol and KelpDAO have pushed North Korea’s illicit crypto haul for 2026 well past the $700 million mark. These staggering losses highlight a shift in tactics by Kim Jong Un’s cyber army, which is increasingly exploiting complex supply-chain vulnerabilities and deploying deep-cover human infiltration to bypass standard security measures.

KelpDAO Hack: Largest Single Crypto Theft of 2026

On April 20, cross-chain infrastructure provider LayerZero confirmed that KelpDAO suffered an exploit resulting in the loss of approximately $290 million. The breach, which occurred on April 18, now stands as the largest single crypto hack of 2026. LayerZero stated that preliminary forensics point directly to TraderTraitor, a specialized cell operating within North Korea’s notorious Lazarus Group.

Drift Protocol Hack: $286 Million Stolen from Solana-Based Exchange

Just weeks earlier, on April 1, the Solana-based decentralized perpetual futures exchange Drift Protocol was drained of an estimated $286 million. Blockchain intelligence firm Elliptic swiftly connected the on-chain laundering methodologies, transaction sequencing, and network-level signatures to previously established DPRK attack vectors. Elliptic noted this was the 18th such incident the firm had tracked this year alone.

How North Korea’s Cyber Attacks Are Evolving

The methodology behind the April attacks reveals a maturation in how state-sponsored hackers target decentralized finance (DeFi). Instead of attacking hardened core smart contracts directly, operatives are identifying and exploiting the structural periphery of these systems.

Exploiting the Infrastructure Periphery: KelpDAO Attack Breakdown

In the case of the KelpDAO attack, LayerZero explained that hackers compromised the downstream Remote Procedure Call (RPC) infrastructure utilized by the LayerZero Labs Decentralized Verifier Network (DVN). By poisoning these critical data pathways, the attackers manipulated the protocol’s operations without compromising its core cryptography. LayerZero has since deprecated the affected nodes and fully restored DVN operations, but the financial damage had already been finalized.

Blockchain security firm Cyvers told CryptoSlate that North Korea-linked attackers are showing increased sophistication and investing more resources, both in preparation and execution, to carry out their malicious attacks. The firm added:

“We also observe how they consistently find the weakest link. In this case, it was a third party rather than the protocol's core infrastructure.”

The strategy heavily mirrors traditional corporate cyberespionage and shows that DPRK-linked breaches are becoming harder to stop.

Supply-Chain Compromises: A Growing Threat

Recent incidents, such as the supply-chain compromise of the widely used Axios npm software package, which Google researchers linked to a distinct DPRK threat actor dubbed UNC1069, demonstrate an ongoing, methodical effort to poison the well before the software even reaches the blockchain ecosystem.

North Korea’s Infiltration of the Crypto Workforce

Cybersecurity experts warn that North Korea is increasingly infiltrating the crypto workforce through deep-cover human operatives. These operatives embed themselves within crypto projects, waiting for the opportune moment to exploit vulnerabilities or facilitate large-scale thefts. The infiltration strategy adds another layer of complexity to the already challenging task of securing decentralized platforms.