North Korean Hackers: DRIFT and KelpDAO Heist
Contents
North Korea-linked hackers delivered the biggest blow to the crypto sector in the first four months of 2026, pocketing $577 million; this amount accounts for 76% of global hack losses in the same period. According to a report by blockchain analysis firm TRM Labs, the damage is concentrated in two attacks in April: $285 million from the DRIFT detailed analysis protocol and $292 million heists from KelpDAO. Although these incidents cover only 3% of the year's total hack cases, they stand out with their volume. The attackers quickly bridged the funds to Ethereum and largely left them inactive.
Technical Details of the DRIFT Hack and Social Engineering
The DRIFT attack was carried out by a North Korean subunit separate from Lazarus-linked groups including TraderTraitor. According to TRM Labs, the attackers built trust by interacting face-to-face with Drift employees for months. From mid-March, they prepared Solana-based persistent nonce accounts. Immediately after the protocol's Security Council switched to a new 2/5 threshold system on April 1, they drained the vaults in 12 minutes using 31 pre-signed transactions. This is a rare case exploiting Solana's high-speed transactions; nonce manipulation bypassed multisig controls.
KelpDAO Attack: LayerZero and THORChain Exploitation
In KelpDAO, they exploited LayerZero bridge's single validator structure by hacking the RPC infrastructure and disrupting cross-chain checks. Funds were converted to Bitcoin via THORChain (RUNE), transferred to Chinese intermediaries after Arbitrum (ARB) freezes. RUNE futures played a critical role in these flows, exposing weaknesses in THORChain's liquidity pools.
Why Did DRIFT Price Drop? Current Technical Analysis
DRIFT token was delisted after the hack: removed from Upbit and Bithumb exchanges (May 2, 2026 news). Price: $0.04, 24h change: -6.19%, RSI: 47.16 (neutral), trend: downtrend. Supertrend bearish, EMA20: $0.0389.
| Supports | Level | Score | Distance |
|---|---|---|---|
| S1 | $0.0389 | 54/100 | -0.59% |
| S2 | $0.0329 | 54/100 | -15.92% |
| Resistances | Level | Score | Distance |
|---|---|---|---|
| R1 | $0.0407 | 70/100 ⭐ | +4.01% |
| R2 | $0.0883 | 66/100 ⭐ | +125.66% |
Solana ecosystem under pressure; Meta's launch of Solana-Polygon stablecoin payments with Stripe (May 2 news) is expected to add positive sentiment, but short-term bearish for DRIFT.
North Korea's Rising Share and Cumulative Losses
North Korea's share in global crypto theft was below 10% in 2020-2021, reaching 64% by the end of 2025; cumulative losses in billions of dollars. TRM Labs emphasizes that operations focusing on bridges, multisig, and cross-chain infrastructure are gaining momentum. Solana governance paths and THORChain flows are under monitoring.
Risks and Defense Recommendations for DRIFT Investors
SOL detailed analysis ecosystem affected. Investors should increase multisig audits and receive training against social engineering. The sector is developing AI-based anomaly detection and on-chain insurance layers. In the short term, monitor DRIFT R1 ($0.0407) resistance.