North Korean Hackers: DRIFT and KelpDAO Heist

DRIFT

DRIFT/USDT

$0.01597
-5.69%
24h Volume

$4,119,340.92

24h H/L

$0.01711 / $0.01579

Change: $0.001320 (8.36%)

Funding Rate

+0.0050%

Longs pay

Data provided by COINOTAG DATALive data
DRIFT
DRIFT
Daily

$0.01586

-4.23%

Volume (24h): -

Resistance Levels
Resistance 3$0.0311
Resistance 2$0.0188
Resistance 1$0.0172
Price$0.01586
Support 1$0.0151
Support 2$0.0138
Support 3-$0.00
Pivot (PP):$0.016117
Trend:Downtrend
RSI (14):41.6
(03:19 PM UTC)
3 min read
Updated
1196 views
0 comments

North Korea-linked hackers delivered the biggest blow to the crypto sector in the first four months of 2026, pocketing $577 million; this amount accounts for 76% of global hack losses in the same period. According to a report by blockchain analysis firm TRM Labs, the damage is concentrated in two attacks in April: $285 million from the DRIFT detailed analysis protocol and $292 million heists from KelpDAO. Although these incidents cover only 3% of the year's total hack cases, they stand out with their volume. The attackers quickly bridged the funds to Ethereum and largely left them inactive.

Technical Details of the DRIFT Hack and Social Engineering

The DRIFT attack was carried out by a North Korean subunit separate from Lazarus-linked groups including TraderTraitor. According to TRM Labs, the attackers built trust by interacting face-to-face with Drift employees for months. From mid-March, they prepared Solana-based persistent nonce accounts. Immediately after the protocol's Security Council switched to a new 2/5 threshold system on April 1, they drained the vaults in 12 minutes using 31 pre-signed transactions. This is a rare case exploiting Solana's high-speed transactions; nonce manipulation bypassed multisig controls.

KelpDAO Attack: LayerZero and THORChain Exploitation

In KelpDAO, they exploited LayerZero bridge's single validator structure by hacking the RPC infrastructure and disrupting cross-chain checks. Funds were converted to Bitcoin via THORChain (RUNE), transferred to Chinese intermediaries after Arbitrum (ARB) freezes. RUNE futures played a critical role in these flows, exposing weaknesses in THORChain's liquidity pools.

Why Did DRIFT Price Drop? Current Technical Analysis

DRIFT token was delisted after the hack: removed from Upbit and Bithumb exchanges (May 2, 2026 news). Price: $0.04, 24h change: -6.19%, RSI: 47.16 (neutral), trend: downtrend. Supertrend bearish, EMA20: $0.0389.

SupportsLevelScoreDistance
S1$0.038954/100-0.59%
S2$0.032954/100-15.92%
ResistancesLevelScoreDistance
R1$0.040770/100 ⭐+4.01%
R2$0.088366/100 ⭐+125.66%

Solana ecosystem under pressure; Meta's launch of Solana-Polygon stablecoin payments with Stripe (May 2 news) is expected to add positive sentiment, but short-term bearish for DRIFT.

North Korea's Rising Share and Cumulative Losses

North Korea's share in global crypto theft was below 10% in 2020-2021, reaching 64% by the end of 2025; cumulative losses in billions of dollars. TRM Labs emphasizes that operations focusing on bridges, multisig, and cross-chain infrastructure are gaining momentum. Solana governance paths and THORChain flows are under monitoring.

Risks and Defense Recommendations for DRIFT Investors

SOL detailed analysis ecosystem affected. Investors should increase multisig audits and receive training against social engineering. The sector is developing AI-based anomaly detection and on-chain insurance layers. In the short term, monitor DRIFT R1 ($0.0407) resistance.

Crypto Research Analyst: Michael Roberts

Blockchain technology and DeFi focused

This analysis is not investment advice. Do your own research.

COINOTAG does not provide financial advisory services. This content is for informational purposes only and should not be considered investment advice. Cryptocurrency investments involve high risk.

Add COINOTAG as a Preferred Source

Add COINOTAG to your preferred sources in Google News and Search to see our coverage first.

Add on Google
Michael Roberts

Michael Roberts

COINOTAG author

View all posts
AI-AssistedCrypto Research Analyst·Michael Roberts is a crypto research analyst focused on blockchain technology, decentralized finance (DeFi), and Web3 ecosystem developments.

AI-generated, AI-reviewed, under COINOTAG editorial oversight.

Comments

Comments