North Korea-Linked Hackers Steal $578M in April Crypto Heists
North Korean state-backed hackers stole $578 million from Kelp DAO and Drift, the largest exploits since Bybit. The attacks used social engineering and misconfigurations, with stolen funds commingling with previous heists, as DPRK continues to threaten crypto.
Quick Take
Kelp DAO lost $292M, Drift lost $285M, both tied to Lazarus Group.
Hackers used single verifier flaw and in-person social engineering.
FBI reports rising crypto crime, with $11.37B in losses in 2025.
Market Impact Analysis
Bearish$578M in exploits raises security concerns and could lead to sell-offs of affected tokens and cautious sentiment in DeFi.
Speculation Analysis
Key Takeaways
- North Korean state-backed hackers stole $578M from Kelp DAO and Drift in April, the largest monthly haul since the Bybit attack.
- Both exploits share a common actor: the Lazarus Group’s TraderTraitor subgroup, using social engineering and infrastructure flaws.
- Stolen funds were commingled with wallets from previous heists, complicating recovery efforts.
- FBI data reveals crypto crime surged 21% in 2025, with losses hitting $11.37B, underscoring escalating threats.
What Happened
On Saturday, Kelp DAO lost $292 million when hackers exploited a misconfiguration in its cross-chain messaging. The attack followed a $285 million breach at Drift on April Fools’ Day, pushing North Korea-linked monthly theft to $578 million. Investigators tied both to TraderTraitor, a Lazarus Group offshoot. Stolen funds from Kelp moved into wallets already flagged in earlier heists. The two incidents mark the largest crypto exploits since the Bybit hack, reigniting fears over state-sponsored DeFi attacks.
The Numbers
The $292 million Kelp DAO hack now stands as 2025's largest exploit, edging out Drift's $285 million theft. Combined, the two amount to $578 million in North Korea-attributed crypto crime for April alone. FBI data paints a broader picture: 181,565 crypto complaints in 2025, a 21% jump, with total losses reaching $11.37 billion. The Lazarus Group alone has reportedly stolen billions in digital assets over recent years to fund Pyongyang's weapons programs.
Why It Happened
Kelp DAO's single verifier configuration on LayerZero allowed attackers to push malicious cross-chain messages. At Drift, hackers posed as a quant trading firm and built in-person trust at a conference before striking. Both reveal a pattern: DPRK operatives blend technical exploits with sophisticated social engineering. The FBI warns that lax hiring checks let North Korean IT workers infiltrate firms, while DeFi protocols often rely on fragile verification setups, creating wide attack surfaces.
Broader Impact
The dual heists intensify scrutiny on DeFi's cross-chain security and personnel vetting. Protocols using minimal verifier setups face urgent redesign pressure. The commingling of stolen funds with legacy wallets suggests Lazarus is building a vast illicit treasury. With FBI stats showing crypto crime rising sharply, regulators may push for tighter security mandates—and users will demand safer platforms.
What to Watch Next
- Kelp DAO and Drift remediation efforts—will affected tokens face sell pressure?
- LayerZero and other messaging protocols likely hardening verifier defaults.
- New FBI or Treasury sanctions targeting North Korean crypto operatives, following March's designations.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
