Drift Protocol and KelpDAO: Lazarus Group Crypto Heist

North Korea's Lazarus Group drained $577 million from two cryptocurrency platforms in April 2026, accounting for 76% of all crypto theft recorded year-to-date. The twin operations against Drift Protocol and KelpDAO were not smart contract exploits but multi-month human intelligence operations, signaling a decisive shift in how state-sponsored actors target the DeFi sector.

What Happened

At 16:06:09 UTC on April 1, 2026, an attacker drained the major vaults of Drift Protocol, the largest decentralized perpetual futures exchange on Solana, of approximately $285 million in roughly twelve minutes. The intrusion was the culmination of a six-month social engineering campaign in which Lazarus operators posed as a legitimate trading firm, attended crypto conferences in person, and cultivated genuine professional relationships with Drift engineers. Those relationships were ultimately leveraged to compromise developer devices and extract the multisig approvals required to authorize the drain.

A second operation in the same month targeted KelpDAO, where attackers compromised a single vulnerable bridge node and extracted $292 million. The KelpDAO incident escalated rapidly into a systemic DeFi event when rsETH collateral, distributed through Aave, triggered bank-run conditions across connected lending markets.

What Was Taken

The combined losses totaled $577 million in user and protocol funds:

• Drift Protocol: approximately $285 million drained from primary vaults on Solana.
• KelpDAO: approximately $292 million extracted via a compromised bridge node.
• Downstream impact: rsETH collateral exposure propagated to Aave, threatening liquidity across multiple DeFi lending markets and creating cascading liquidation risk for unrelated users.

Beyond direct theft, the attackers obtained signing credentials, internal trust relationships, and operational reconnaissance data that may enable future intrusions against linked counterparties.

Why It Matters

This is no longer a conventional crypto security incident. It is a sustained state-sponsored intelligence operation whose proceeds are widely assessed to fund the DPRK's weapons program, including its sanctioned ballistic and nuclear initiatives. Two implications stand out for defenders:

1. DeFi security has moved beyond smart contract auditing. The attack surface now includes human relationships, physical conference attendance, multisig governance workflows, and bridge infrastructure.
2. The blast radius of a single compromise is no longer confined to the breached protocol. Tokenized collateral routed through lending markets like Aave can transmit insolvency risk system-wide within hours.

The Attack Technique

The Drift operation followed a tradecraft pattern consistent with prior Lazarus campaigns but with extended dwell time and stronger operational security:

• Long-cycle social engineering: Operators posed as a trading firm for approximately six months, building credibility through industry events and in-person meetings.
• Device compromise: Once trust was established, malware was delivered to engineering endpoints, enabling credential and signing key access.
• Multisig abuse: Attackers used legitimate signing approvals harvested from compromised devices to authorize transfers, bypassing on-chain controls entirely.
• Rapid execution: The actual drain was completed in roughly twelve minutes, faster than human-in-the-loop response cycles.

The KelpDAO breach pivoted on bridge-layer weakness. A single node holding outsized authority over cross-chain transfers was sufficient to authorize the $292 million extraction, exposing the persistent fragility of bridge architectures.

What Organizations Should Do

1. Treat all unsolicited business development outreach, including in-person conference contacts, as a potential targeting vector. Verify counterparty identity through independent channels before any technical or commercial engagement.
2. Enforce hardware-isolated signing for any wallet, multisig, or bridge operator with material funds authority. Never sign from a workstation used for general communications.
3. Reduce single-node authority on cross-chain bridges. Require quorum-based approvals with geographic and operational separation between signers.
4. Establish out-of-band, time-delayed transfer policies for large outbound transactions, with automatic circuit breakers that pause withdrawals above defined thresholds.
5. Monitor for indicators of DPRK-aligned tradecraft, including fake recruiter and trading-firm personas, malicious npm and PyPI packages, and trojanized job interview tooling.
6. Map systemic exposure to tokenized collateral. Document where your protocol's assets are rehypothecated and pre-coordinate response procedures with downstream lending venues.

Sources: North Korea just stole $577mn from crypto with two attacks, here's how