North Korea has been linked to heists worth $578 million in April after the Kelp Dao exploit.
Kelp DAO suffered a $292 million hack on Saturday. Hackers linked to North Korea are said to be behind the attack.
Kelp DAO said on Monday that the exploit follows an infrastructure failure of the cross-chain messaging protocol LayerZero. The LayerZero breach is enabled by validating cross-chain messages using the Kelp DAO single validator configuration.
The LayerZero “Early Indicators” exploit is attributed to TraderTraitor, a North Korean government-sponsored hacking unit known as the Lazarus Group.
Blockchain researcher Tanuki42's findings also found a link to TraderTraitor. Tanuki42 reported on Tuesday that the funds stolen from the Kelp Dao incident were linked to previous exploits linked to the same group.
While cyber activity targeting North Korea's decentralized financial platforms accelerated in April, the tactics also pose risks to companies and end users.
North Korea's crypto plans are back in focus.
April Fools' Day exploits on decentralized exchange Draft totaled $285 million, making at least $578 million in major incidents of crypto theft suspected to be linked to North Korea during the month.
The two attacks are the biggest crypto heists by North Korean actors since the Bybit hack.
Currently, the crypto industry has caught DPRK-linked operators offering remote jobs at tech companies as IT developers. Security researchers and the United Nations have said that this method will generate millions of dollars to support North Korea's weapons programs.
Related: North Korea's cyber spies aren't just remote threats
In March, the US Treasury Department imposed sanctions on six individuals and two entities allegedly involved in North Korean IT worker fraud. The FBI issued guidance in June, recommending that employers check candidates' professional backgrounds and seek in-person interviews.
However, the Drift exploit suggests that Pyongyang's cyber operators are adapting. The DeFi platform said its contributors were in person at a major crypto conference in November by individuals posing as quant trading firms. The attackers communicated and built trust before the breach.
Smaller attacks continued in parallel. According to crypto wallet provider Zerion, DPRK-linked actors used AI-assisted social engineering to steal nearly $100,000 in a separate incident.
Although the State Department issued a statement in May 2020 denying involvement in cyberattacks and accusing the United States of trying to tarnish its reputation, North Korea rarely responds to such accusations.
Retail crypto scams are on the rise as DPRK tactics tighten.
The Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) report reported a 21 percent increase in crypto-related crime complaints by 2025. The FBI launched IC3 in 2000 as a portal for victims in the US to report online fraud.
Cryptocurrency cases were linked to 181,565 complaints in 2025, resulting in $11.37 billion in losses, more than half of the total.
RELATED: North Korean spy slips up, reveals connection in fake job interview
Americans age 60 and older reported the highest number of crypto-related complaints. Investment fraud was the largest category, generating 61,559 complaints, including 13,685 from people aged 60 and above.
That's not to say the retail sector hasn't been affected by suspected North Korean operations. An investigation published last November found that DPRK-linked operators also employ individuals to support remote IT staffing schemes.
In the year In 2025, Heiner Garcia, a cyber threat intelligence expert at Telefonica, met with a North Korean suspect.
Garcia previously told Cointelegraph that the person tried to use him as a proxy to bypass the VPN restrictions of free platforms. The tactic involves installing remote access software such as AnyDesk and using the victim's device with local authority.
In the year In August 2024, the US Department of Justice arrested Matthew Isaac Knott for running a “laptop farm” that allowed DPRK IT workers to pose as US-based employees using stolen identities. In the year In July 2025, Christina Chapman was sentenced to more than eight years in prison for her role in allowing North Korean IT workers to earn more than $17 million.
The business behind freezing money stolen by suspected DPRK actors
Unique to the Kelp DAO hack was the Arbitrum Security Council's decision to block the 30,766 ETH associated with the exploit.
Crypto's ethos is decentralized, but responses to major hacks continue to divide the industry. Some projects lean toward low intrusion, leaving little consensus on when intrusions are appropriate, even as security experts call for action.
Ledger CTO Charles Guillemette said on Tuesday that the result was “probably” good, but not comfortable. Freezing the money can prevent further losses. The comfort comes from the fact that the action is obvious.
The Arbitrum Security Council has not exploited a bug or found a backdoor. He used his power to overthrow the government. That authority exists by design and is placed in tension with the idea of independent infrastructure. In practice, assets in today's portfolios can still be affected by management decisions in some cases.
Guillemette's bond is related to the disaster area. The Kelp DAO exploit did not depend on a novel smart contract bug. It exposes weaknesses in infrastructure and configuration, showing how attacks can go beyond code and into the systems they support.
At the same time, North Korean-linked groups have turned into persistent adversaries, a good source for probing those systems on multiple fronts.
This leaves the industry torn between accepting intervention or accepting irreversible losses.
Magazine: Adam Back Says Current Demand Is ‘Almost' Enough To Send Bitcoin To $1M
