BroadChain has learned that at 10:16 on April 23, a hacker group linked to North Korea stole over $500 million from DeFi platforms in less than three weeks. The attack methods have shifted from targeting core smart contracts to exploiting vulnerabilities at the edges of infrastructure. In April alone, Drift Protocol and KelpDAO suffered attacks of approximately $286 million and $290 million respectively, with the latter becoming the largest single crypto theft case so far in 2026.
Blockchain intelligence firm Elliptic pointed out that this is already the 18th similar incident it has tracked this year. The shift in attack strategy is reflected in precise strikes on structural peripherals. Taking the KelpDAO incident as an example, the hackers did not directly attack the protocol's core. Instead, they compromised the downstream RPC infrastructure used by the LayerZero decentralized verification network, thereby manipulating the protocol's operation.
Security company Cyvers analyzed that attackers are investing more resources in finding the weakest links. This strategy of targeting third-party components is highly similar to traditional cyber espionage activities, making prevention significantly more difficult. In addition to technical infiltration, North Korea is also systematically infiltrating personnel into the global cryptocurrency industry.
According to a six-month investigation by the Ketman Project, a security initiative under the Ethereum Foundation, approximately 100 North Korean cyber operatives have infiltrated several blockchain companies. They use forged identities to obtain sensitive permissions, lurk for extended periods, and then launch precise attacks. Independent investigator ZachXBT also confirmed that a North Korean network, using fraudulent identities for remote employment, has processed over $3.5 million in illicit funds since late 2025.
According to Chainalysis data, North Korean hackers stole a record $2 billion in 2025, accounting for 60% of global cryptocurrency theft that year. Their historical total theft has reached $6.75 billion. After obtaining the funds, they exhibit a highly specific money laundering pattern, heavily relying on escrow services in Chinese-speaking regions, over-the-counter brokerage networks, and complex cross-chain mixing services.
Industry experts point out that the key to preventing such attacks lies in addressing fundamental security discipline issues. Terence Kwok, founder of Humanity, stated that losses are still largely attributed to old problems like access control and single points of failure. The first line of defense is to significantly increase the difficulty of asset transfers, implementing stricter controls on private keys, internal permissions, and third-party permissions.
The second line of defense is speed. It requires achieving ultra-fast coordination among exchanges, stablecoin issuers, blockchain analysis companies, and law enforcement agencies within the first few minutes to hours after an attack occurs to improve the success rate of fund interception.