In April 2026, two hacks worth $577 million accounted for 76% of all crypto theft this year. Both were the work of North Korea’s Lazarus Group.
Summary
- North Korea-linked Lazarus attacks drained $577 million from Drift Protocol and KelpDAO.
- The Drift exploit relied on social engineering, compromised devices, and multisig approvals.
- KelpDAO’s breach triggered a DeFi bank-run risk after rsETH collateral spread through Aave.
- The attacks show DeFi security now depends on human, operational, and bridge-layer defenses.
Neither was a smart contract exploit. The attackers spent six months posing as a trading firm, attending crypto conferences in person, and building real relationships with engineers at Drift Protocol before extracting the signatures they needed to drain $285 million in twelve minutes.
The other attack drained $292 million from a single vulnerable bridge node. This is no longer a crypto security problem. It is a state-sponsored intelligence operation, run by a country that uses the proceeds to fund its weapons program. And the industry is only just starting to admit it.
Twelve minutes in April
At 16:06:09 UTC on April 1, 2026, an attacker drained the major vaults of Drift Protocol, the largest decentralized perpetual futures exchange on Solana, of roughly $285 million in user assets. The first withdrawal moved 41.72 million JLP tokens. The last moved 2,200 wrapped ETH. The entire treasury was emptied in twelve minutes, about the time it takes to write a long text message.
The team’s first public statement, posted on X within hours, asked the community to confirm the unusual activity they were seeing was not an April Fool’s joke. It was not. It was the culmination of six months of methodical preparation by operatives working for the government of North Korea.
Seventeen days later, on April 18, attackers drained $292 million from KelpDAO, a restaking protocol, by manipulating a single-verifier configuration in its LayerZero bridge. The two attacks combined accounted for roughly 95 percent of April’s $625 million in crypto theft, which made April 2026 the worst month for crypto security in recorded history. Year-to-date theft through April crossed $1 billion. TRM Labs pinned 76 percent of the entire 2026 total on two attacks. Both were the work of the same threat actor.
That threat actor is the Lazarus Group, the umbrella name Western intelligence agencies use for state-sponsored hacking operations run out of the Reconnaissance General Bureau, North Korea’s primary intelligence agency. Since 2017, Lazarus and its sub-units have stolen over $6 billion in cryptocurrency.
By Chainalysis figures, $2.06 billion of that was stolen in 2025 alone, driven primarily by the catastrophic $1.5 billion Bybit hack in February of that year, the largest crypto theft in history. The 2026 pace puts the group on track to comfortably pass the 2025 total.
This is not a crypto security story in any conventional sense. The threats DeFi protocols face today are not the threats they were designed to defend against. The 2020-era worry was smart contract bugs and flash loan exploits, vulnerabilities in code. The 2026 reality is sustained, multi-country, multi-month operations run by intelligence professionals who do not need a code exploit because they already have the keys. They just had to convince someone to hand them over.
That is what the Drift attack was. And understanding it is the most important security education any crypto holder, builder, or executive can get right now.
The Drift operation, step by step
Drift Protocol’s own post-mortem, published in early April, reads more like a counterintelligence report than a security disclosure. It begins in October 2025.
At a major crypto conference, a group of individuals presenting themselves as representatives of a quantitative trading firm approached Drift contributors. They had verified professional backgrounds, demonstrated technical fluency, and asked exactly the kinds of questions a real institutional trading firm would ask about integrating with a perpetuals protocol. Drift contributors, who deal with such requests routinely, treated them like any other potential institutional partner.
Drift has since clarified that the individuals at those in-person meetings were not North Korean nationals. Lazarus operations almost always use third-party intermediaries for face-to-face contact, with the actual technical operators staying inside North Korea or China. Blockchain investigator ZachXBT, who has been tracking DPRK crypto operations for years, has noted this layered identity structure is one of the defining features of Lazarus campaigns.
The group did not stop after the first conference. Over six months, the same operatives, or operatives presenting the same identities, appeared at multiple global industry events, deepening relationships with specific Drift contributors. A Telegram group was set up for ongoing discussion of trading strategies and integration possibilities. From December 2025 through January 2026, the fake trading firm “onboarded an ecosystem vault” with Drift, submitting strategy details and depositing over $1 million into the protocol as a partner. This is not a normal scam operation. This is an intelligence service running a HUMINT campaign with a budget.
By February and March 2026, the relationships were deep enough that contributors trusted these counterparties to share repositories and applications. According to Drift, the attackers used two specific malware vectors. One involved sharing repositories that contained code which, when opened in VSCode or Cursor (the AI-augmented code editor), could trigger silent code execution through a then-unpatched vulnerability. The other involved a contributor downloading what was presented as a wallet product distributed through TestFlight, Apple’s beta-testing platform, which compromised the device.
Once the attackers had access to the right machines, they had access to the right wallets. And once they had the right wallets, the rest of the operation was logistics.
On March 23, more than a week before the theft, the attackers set up four wallets using Solana’s “durable nonce” feature, which lets pre-signed transactions execute at any future point. Two of those wallets belonged to compromised members of Drift’s Security Council, the multisig signer group that controlled the protocol’s most sensitive functions. The other two were under direct attacker control. Through social engineering and the compromised devices, the attackers obtained the multisig approvals from two of the five Security Council signers needed to execute the pre-signed transactions.
On April 1, while the Drift team was carrying out a routine withdrawal from the insurance fund, the attackers executed two of the pre-signed transactions four block slots apart. The transactions seized admin control, introduced a synthetic asset called CarbonVote Token (CVT) into the spot market, manipulated its price through wash trading on two decentralized exchanges to give the false appearance of legitimate value, and raised the protocol’s USDC withdrawal limit to 500 trillion. CVT was then deposited as collateral against the entire treasury. Twelve minutes later, $285 million was gone.
The attackers swapped the stolen assets to USDC through Jupiter, Solana’s largest DEX aggregator, and bridged approximately 129,000 ETH worth $270 million to Ethereum through Circle’s CCTP protocol. They held the stolen USDC for several hours before completing the bridge. Circle did not freeze the funds during that window. Security researcher Specter noted at the time that the attackers had deliberately avoided converting to Tether, which suggested confidence Circle, specifically, would not intervene. They were correct.
Why none of this is new, and why that matters
The temptation, reading the Drift post-mortem, is to treat it as an extraordinary one-off. A six-month operation. Multiple compromised devices. Pre-signed transactions. Wash-traded fake collateral. It reads like a Hollywood script.
But step back, and the architectural fingerprints of every major Lazarus DeFi attack of the past three years are identical. A compromised human signer. A weakened multisig configuration. A delayed or absent timelock. A malicious payload disguised as a routine operation. The Bybit hack in February 2025, the $1.5 billion theft now attributed by the FBI to a Lazarus sub-cluster called TraderTraitor, used the same approach. Bybit’s signers believed they were approving routine cold wallet operations through Safe’s multisig infrastructure. They were not. The Safe infrastructure had been compromised through a developer-side attack, and the transaction they signed transferred control of the wallet contract itself.
Go back further and the pattern holds. The 2022 Ronin Bridge hack, which lost $625 million from Axie Infinity’s bridge, started with fake LinkedIn job offers targeting a developer. A malicious “interview challenge” downloaded malware. The malware compromised validator nodes. The attackers got the five validator signatures they needed and drained the bridge. The 2024 DMM Bitcoin hack, a $300 million loss, started the same way: a fake recruiter contacting an engineer at Ginco, the wallet provider DMM relied on. The 2023 CoinsPaid attack, the same playbook again. The same playbook keeps working because the attack surface, human trust, has not been hardened the way smart contracts have been.
That repetition is the most important thing to understand about the Lazarus problem. Smart contract auditing has become a routine discipline in DeFi. Every serious protocol gets audited, often by multiple firms. Bug bounty programs are widespread. None of that catches a six-month social engineering operation targeting the human signers. The asymmetry between the maturity of code security and the maturity of operational security is the gap Lazarus has spent five years industrializing inside.
The 2026 evolution adds two new wrinkles. One is the use of AI-augmented coding tools as an attack vector. VSCode and Cursor have made it dramatically easier for developers to open and run code from external sources. That convenience also expanded the attack surface. The Drift attack exploited a specific vulnerability where opening a repository in a development environment could trigger silent code execution. This was not a flaw unique to Drift. It was a class of vulnerability sitting under every developer in the industry who uses these tools, which is most of them. The second wrinkle is AI itself. Cybersecurity researchers testifying before US House subcommittees this spring have noted DPRK operatives are now using AI tools to generate more convincing fake personas, draft more plausible communications, and speed up the early-stage reconnaissance of targets. The same productivity tools transforming legitimate businesses are transforming the attackers, too.
What North Korea actually does with the money
It is worth being precise about where the stolen funds end up, because this is where the crypto industry’s discomfort with the story becomes most acute.
The United Nations Panel of Experts on North Korea has estimated that cryptocurrency theft funds a material portion of the DPRK’s missile and nuclear weapons development budget. That estimate is now reflected in formal US Treasury and South Korean intelligence assessments. North Korea’s cumulative crypto theft, at over $6 billion since 2017, makes the activity one of the regime’s largest sources of foreign currency, alongside coal exports to China and the dispatch of overseas IT workers.
The mechanics of getting from “stolen ETH” to “weapons procurement” are well-documented. After the initial theft, funds are typically swapped into Bitcoin or stablecoins, then routed through cross-chain bridges to obscure the trail. THORChain, the cross-chain swap protocol, has become a favored route precisely because its operators have publicly refused to consider freezing or screening transactions, treating any such intervention as counter to the protocol’s decentralization principles. THORChain processed the majority of laundering volume from both the Bybit and KelpDAO heists. From there, funds move through Russian crypto exchanges and Chinese over-the-counter desks before being converted to fiat and channeled into procurement networks that buy components and materials sanctioned by international agreement.
The crypto industry’s role in this pipeline is uncomfortable but unavoidable. Every protocol exploit by Lazarus is, in effect, a transfer of capital from crypto users to weapons development by a state that has threatened nuclear strikes against its neighbors. Every undefended multisig is a contribution to that pipeline. Every developer who clicks a “portfolio company interview” calendar invite without verification becomes, in a real sense, a line item in the DPRK’s missile budget.
This is a hard sentence for an industry built on permissionless access and decentralization. The instinct in crypto, going back to its origins, has been to treat code as the locus of trust, and to be suspicious of intermediary screening, address blocklists, and centralized intervention. That instinct served the industry well in many contexts. It serves it poorly here. THORChain’s refusal to screen transactions is consistent with its stated principles, and it is also why North Korea uses THORChain. Both things are true.
The systemic risk that almost happened
The KelpDAO attack on April 18 is structurally distinct from Drift in one important respect: it produced something the crypto industry has talked about for years but never actually witnessed at scale. A DeFi bank run.
Within hours of the KelpDAO bridge being drained, the stolen rsETH (KelpDAO’s restaking receipt token) was deposited as collateral on Aave and other lending platforms, while the underlying KelpDAO contracts were paused and the token’s true value collapsed. Aave users who had lent ETH against rsETH collateral suddenly found their loans backed by worthless assets. Within 48 hours, more than $8.4 billion in deposits left Aave. Total DeFi TVL across the ecosystem dropped by over $13 billion in the same window, as users withdrew first and asked questions later.
This was not a panic. It was a classic, textbook bank run, the kind banking regulators design deposit insurance and lender-of-last-resort facilities specifically to prevent in traditional finance. DeFi has neither. The fact Aave’s smart contracts kept functioning, that withdrawals kept clearing, and that the system held together is genuinely remarkable, and is largely a credit to the protocol’s design. But the outcome was much closer to a cascading liquidation event than most coverage acknowledged.
The implication is structural. As DeFi has matured, it has built composability, the property that any token can serve as collateral for any other product. That composability is what makes DeFi useful, and it is also what makes a single compromised asset capable of propagating losses across multiple protocols within hours. Aave’s safety module was insufficient to absorb the eventual bad debt from rsETH-backed loans. Estimates suggest $100 to $120 million in losses remained after the insurance fund was depleted, and Aave’s governance is now openly debating who pays for what is left. The proposal under consideration would split losses evenly among lenders who held the affected positions.
This is, in plain language, a depositor-bail-in event for one of the largest lending protocols in DeFi. It is a kind of risk that did not meaningfully exist in the pre-composability version of crypto. It exists now, and Lazarus has just demonstrated how to trigger it.
What actually has to change
A piece that only described the problem would be a downer. The harder question is what would actually have to change for the Lazarus problem to become tractable.
Three things, in order of how difficult they are to implement.
The first is operational security culture inside DeFi protocols. The attack surface Lazarus exploits is not technical. It is human. That means the defenses have to be human too: training contributors to recognize social engineering, hardening hiring and onboarding processes against fake-identity infiltration, requiring multiple-channel verification before signing material transactions, and treating “this seems too good to be true” as the security signal it actually is. Some of this is happening, but it is happening project by project, with no consistent industry standard. The DeFi industry’s auditing infrastructure took five years to professionalize. The operational security equivalent is at year one.
The second is the architectural design of governance and multisig systems. Many of the attacks Lazarus has succeeded with depend on a specific vulnerability pattern: a multisig with relatively few signers, a timelock that is either short or absent, and no automated controls that would flag unusual transactions before they execute. The architectural fix is not exotic. Longer timelocks. More signers. Independent monitoring of pending transactions. Hardware-enforced separation between signing keys and developer machines. Protocols that have put these measures in place have generally not been the ones drained. Protocols that have not, have been.
The third is the infrastructure layer. THORChain’s refusal to screen transactions is an architectural choice, and one with a real principled defense behind it. But that choice has, by 2026, become a load-bearing pillar of the laundering pipeline used by the world’s most prolific state-sponsored crypto thief. At some point, the question of how to handle infrastructure-level neutrality versus systemic complicity will have to be confronted, and it will not be resolved entirely within crypto. It will involve sanctions enforcement, exchange compliance, and international coordination. Some of that is already happening. TRM Labs’ Beacon Network, which alerts member exchanges and protocols when known-bad addresses receive funds, expanded significantly in 2025 and 2026. The pace of those institutional responses, however, lags the pace of the attacks they are trying to catch.
What this means for the industry
The hardest thing about the Lazarus story is that it forces the crypto industry to confront a truth that does not fit cleanly into its self-conception.
For most of its history, crypto has framed itself as a struggle between innovators and outdated regulators, between permissionless systems and gatekeepers, between code and human discretion. In that framing, the threats to the industry came from external pressure: governments trying to restrict it, banks trying to compete with it, journalists writing it off. The Lazarus reality is different. The threat is not external pressure. The threat is a hostile state-sponsored adversary that has industrialized the exploitation of crypto’s specific structural features, the lack of intermediary screening, the prevalence of multisig governance, the speed of cross-chain settlement, the difficulty of recovering laundered funds, against the industry itself.
This adversary does not care about the ideological commitments crypto makes to itself. It cares about extracting value, and the design choices that make crypto useful are the same design choices that make it efficient to steal from. The industry has spent years debating whether it should be more or less like the legacy financial system. The Lazarus problem suggests the more interesting question may be how to build a defensible version of the system crypto has actually become: composable, fast, cross-chain, and now, demonstrably, a target.
The numbers from April 2026 will not be the worst the industry sees. That is not pessimism. It is the trend line. The same Lazarus operations that ran six months of preparation for Drift have almost certainly been running other operations in parallel against other protocols. Some of those will succeed. The question is whether, by the time the next $300 million theft happens, the industry has done the work to make the operation cost more than the payoff, or whether April 2026 is a preview of what happens when state-sponsored adversaries find a target environment that is permanently mispriced.
For now, the answer is unclear. What is clear is that the conversation has moved past “DeFi has a security problem” to something more specific and much harder. A nation-state intelligence service has identified an asymmetric attack surface and has been exploiting it, with growing sophistication, for half a decade. The industry’s defenses have not yet caught up to the reality that this is what it is up against.
That gap is the story. The next year of crypto security will be about whether the industry closes it, or whether the gap closes the industry instead.
This article is for informational purposes and does not constitute security or investment advice. Security incidents, attribution, and recovery efforts evolve quickly; the figures and operational details described reflect reporting available as of mid-May 2026. Always do your own research and consult qualified security professionals.
