North Korean Hackers Hit DRIFT and KelpDAO: 577M$

North Korea-linked hackers dealt the biggest blow to the crypto sector in the first four months of 2026: they stole 577 million dollars. This accounts for 76% of global hack losses. According to the TRM Labs report, the damage focuses on two attacks in April: DRIFT detailed analysis for 285 million dollars and 292 million dollars from KelpDAO. Although only 3% of the year's total hacks, the volumes are shocking.

DRIFT Protocol Hack Details

The Drift attack was carried out by a North Korean subgroup separate from Lazarus-linked TraderTraitor. The attackers had been in contact with Drift employees for months. From mid-March, they prepared Solana-based persistent nonce accounts. Immediately after the protocol's Security Council switched to a 2/5 threshold system on April 1, they drained the vaults in 12 minutes using 31 pre-signed transactions. The funds were bridged to Ethereum and frozen. Latest development: DRIFT was delisted from Upbit and Bithumb exchanges after the hack.

• Main Targets: Bridges, multisig, and cross-chain infrastructures
• Monitoring: THORChain flows and Solana governance paths
• Impact: Sharp drop in DRIFT price, DRIFT futures volatility

KelpDAO and the North Korean Threat

In KelpDAO, they exploited the single validator structure of the LayerZero bridge via an RPC hack. The funds were converted to Bitcoin via THORChain (RUNE detailed analysis), then transferred to Chinese intermediaries after Arbitrum freezes. North Korea's share in crypto thefts was below 10% in 2020-2021, reaching 64% by the end of 2025. Cumulative losses are in the billions of dollars.

Frequently Asked Questions About DRIFT

Why was the DRIFT hack so effective?
They bypassed multisig through long-term employee contact and nonce manipulation.

What does DRIFT delisting mean?
Exit from Upbit/Bithumb reduced liquidity and increased price pressure.

Will the Solana ecosystem be affected?
Yes, governance paths require new defense layers.