North Korea Allegedly Linked to $577M in Drift, KelpDAO Attacks

North Korea has been allegedly linked to $577 million in cryptocurrency stolen across two separate attacks targeting Drift Protocol and KelpDAO, according to multiple security researchers and blockchain analytics firms. The combined losses represent one of the largest alleged state-sponsored crypto theft campaigns reported in 2026.

What the allegation says about the $577 million theft

The reported figure combines approximately $280 million lost in the Drift Protocol exploit and roughly $290 million drained from KelpDAO. Both incidents have been tied to North Korea's Lazarus Group by independent blockchain forensics teams.

TRM Labs reported that North Korea was responsible for 76% of all crypto hack value in 2026 through just two attacks. The attribution remains alleged rather than confirmed by any government authority, and readers should treat the North Korea connection with appropriate caution.

Elliptic described the Drift Protocol incident as a suspected DPRK-linked attack involving approximately $286 million. The language from multiple analytics firms consistently uses terms like "suspected" and "tied to" rather than definitive attribution.

How the two protocols were targeted

Drift Protocol, a decentralized perpetual futures exchange on Solana, reportedly lost funds after attackers seized security council powers within the protocol's governance structure. The exploit highlights a growing concern around governance-layer vulnerabilities in DeFi, a risk category that has also drawn attention in cases involving exchange-level security failures and frozen user assets.

KelpDAO, a liquid restaking protocol, suffered a separate $290 million exploit. LayerZero attributed that attack to the Lazarus Group, according to reporting from BleepingComputer. The incident was independently corroborated by CastleCrypto.

Both protocols operate in high-value DeFi sectors, with Drift handling leveraged trading volume and KelpDAO managing restaked assets. The scale of losses in both cases underscores the risk concentration in protocols that custody or control large pools of user capital.

Why alleged state-linked attribution raises the stakes

If the North Korea connection is accurate, the stolen funds would likely fall under existing sanctions regimes. Exchanges and DeFi front-ends that process tokens traceable to these exploits could face compliance exposure, particularly under U.S. Treasury OFAC guidelines.

The Lazarus Group has been linked to multiple prior crypto thefts, including the 2022 Ronin Bridge exploit. A pattern of alleged state-sponsored attacks at nine-figure scale creates pressure on protocols to adopt more rigorous access controls and multisig governance standards. Incidents like these also raise questions about how platforms handle post-exploit asset recovery, similar to the challenges seen when exchanges adjust their listed assets in response to security concerns.

For users of both Drift Protocol and KelpDAO, the immediate concern is whether deposited funds are recoverable. Neither protocol has publicly confirmed full remediation details as of this writing.

What remains unconfirmed

Several critical details have not been independently confirmed. The exact attack vectors used in both exploits have not been fully disclosed by either protocol team.

No government agency has formally attributed either attack to North Korea or the Lazarus Group. The attribution currently rests on analysis from private blockchain forensics firms.

The status of any fund recovery efforts, user compensation plans, or law enforcement investigations has not been publicly disclosed. Whether any portion of the stolen assets has been frozen on centralized exchanges is also not yet known, a factor that could prove critical as major exchanges expand their product offerings and compliance infrastructure simultaneously.

FAQ: Drift Protocol, KelpDAO, and the $577 million claim

What does the $577 million figure refer to?

It represents the combined reported losses from two separate DeFi exploits: approximately $280-286 million from Drift Protocol and approximately $290 million from KelpDAO.

Why are Drift Protocol and KelpDAO mentioned together?

Both attacks have been linked by blockchain analytics firms to the same alleged perpetrator, North Korea's Lazarus Group. TRM Labs grouped them as accounting for the majority of crypto hack losses in 2026.

Has the North Korea link been confirmed?

No. The connection is based on analysis from private firms including TRM Labs, Elliptic, and LayerZero. No government entity has issued formal attribution as of this report.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making any investment decisions.