North Korea tied to heists worth $578M in April after Kelp DAO exploit

Kelp DAO suffered a $292 million hack on Saturday, overtaking Drift as the largest crypto exploit of the year so far. North Korea-linked hackers are suspected to be behind the attack.

Kelp DAO said Monday that the exploit stemmed from a failure of cross-chain messaging protocol LayerZero’s infrastructure. LayerZero said the breach was enabled by Kelp DAO’s use of a single verifier configuration to approve cross-chain messages.

LayerZero said that “preliminary indicators” attributed the exploit to TraderTraitor, a subgroup of North Korea’s state-backed hacking unit known as Lazarus Group. 

Blockchain investigator Tanuki42’s findings also found ties to TraderTraitor. Tanuki42 said Tuesday that funds stolen from the Kelp DAO incident have commingled with previous exploits linked to the same group.

While North Korea’s cyber activity targeting decentralized finance platforms has accelerated in April, its tactics also pose a threat to companies and end users.

North Korea’s crypto schemes back in focus

The April Fools’ Day exploit on decentralized exchange Drift totaled $285 million, bringing suspected North Korea-linked crypto theft to at least $578 million across major incidents throughout the month.

The two attacks are the largest crypto heists attributed to North Korean actors since the Bybit hack.

By now, the crypto industry has caught on that DPRK-linked operatives pose as IT developers to secure remote jobs at tech companies. Security researchers and the United Nations say that this tactic generates millions of dollars to support North Korea’s weapons programs.

Related: North Korean cyber spies are no longer just remote threats

In March, the US Treasury Department sanctioned six individuals and two entities for their alleged roles in North Korean IT worker fraud schemes. The FBI also issued guidance in June, recommending that employers verify candidates’ professional history and require in-person meetings.

However, the Drift exploit suggests Pyongyang’s cyber operatives are adapting. The DeFi platform said its contributors were approached in person by individuals posing as a quant trading firm at a major crypto conference in November. The attackers continued to communicate and build trust ahead of the breach.

Smaller-scale attacks have continued in parallel. Crypto wallet provider Zerion said DPRK-linked actors used AI-assisted social engineering to steal about $100,000 in a separate incident.

North Korea rarely responds to such accusations, though its foreign ministry issued a statement in May 2020 denying involvement in cyberattacks and accusing the United States of attempting to tarnish its image.

Retail crypto scams surge as DPRK tactics spill over

The Federal Bureau of Investigation (FBI) reported a 21% increase in crypto-related crime complaints in its 2025 Internet Crime Complaint Center (IC3) report. The FBI launched IC3 in 2000 as a portal for victims in the US to report online fraud.

Cryptocurrency cases were linked to 181,565 complaints in 2025, resulting in $11.37 billion in losses, more than half of the total.

Related: North Korean spy slips up, reveals ties in fake job interview

Older Americans aged 60 and above filed the highest number of crypto-related complaints. Investment scams were the largest category, generating 61,559 complaints, including 13,685 from people 60 and older.

That doesn’t mean the retail sector is untouched by suspected North Korean operations. An investigation published last November found that DPRK-linked operatives also recruit individuals to support remote IT worker schemes.

Throughout 2025, Heiner García, a cyberthreat intelligence expert at Telefónica, came into contact with a suspected North Korean operative.

García previously told Cointelegraph that the individual attempted to use him as a proxy to bypass VPN restrictions set by freelancing platforms. The tactic involves using a victim’s device in a local jurisdiction by installing remote access software such as AnyDesk.

In August 2024, the US Department of Justice arrested Matthew Isaac Knoot for running a “laptop farm” that allowed DPRK IT workers to appear as US-based employees using stolen identities. In July 2025, Christina Chapman was sentenced to more than eight years in prison for her role in helping North Korean IT workers earn more than $17 million.

The tradeoff behind freezing funds stolen by suspected DPRK actors

A unique element of the Kelp DAO hack was the Arbitrum Security Council’s decision to freeze 30,766 ETH linked to the exploit.

Crypto’s ethos is decentralization, yet responses to major hacks continue to divide the industry. Some projects lean toward minimal intervention, even as security experts call for action, leaving little consensus on when it is appropriate to step in.

Ledger CTO Charles Guillemet said on Tuesday that the outcome was “probably” good, but not a comfortable one. Freezing the funds likely prevented further losses. The discomfort comes from what the action makes explicit.

The Arbitrum Security Council did not exploit a bug or discover a backdoor. It exercised its intended authority to override the state. That authority exists by design and sits in tension with the idea of credibly neutral infrastructure. In practice, assets on today’s rollups can still be affected by governance decisions under certain conditions.

Guillemet ties that tradeoff to the threat environment. The Kelp DAO exploit did not rely on a novel smart contract bug. It exposed weaknesses in infrastructure and configuration, showing how attacks are moving beyond code into the systems that support it.

At the same time, North Korea-linked groups have evolved into well-resourced, persistent adversaries capable of probing those systems across multiple fronts.

That leaves the industry split between accepting intervention or accepting losses that cannot be undone.

Magazine: Adam Back says current demand is ‘almost’ enough to send Bitcoin to $1M