North Korean Hackers Stole 577M$ from DRIFT and Kelp
Contents
North Korea-linked hackers seized 76% of the crypto sector's hack losses this year with just two precise operations in April; attacks stealing $285 million from DRIFT detailed analysis and $292 million from Kelp DAO caused a total of $577 million in damage. According to TRM Labs' new report, these two incidents account for only 3% of all recorded cases. The attackers targeted decentralized finance platforms to carry out the sector's biggest heists. The report calculates that North Korean hackers have stolen over $6 billion in crypto assets since 2017. This data clarifies Pyongyang's dominance in crypto theft.
DRIFT Protocol Hack: Social Engineering and Nonce Manipulation
The Drift Protocol breach stood out with a patient social engineering campaign; on-chain preparations began on March 11, and there were months of face-to-face meetings between North Korean proxies and Drift employees. The attackers used Solana's resilient nonce feature to execute 31 pre-signed withdrawals in about 12 minutes; real assets like USDC and JLP were drained. The stolen funds were quickly transferred to Ethereum and remain dormant. This technique reversed Solana's mechanism for preventing nonce collisions in its high-speed transaction environment, allowing hackers to optimize timing at the millisecond level.
Kelp DAO Attack: RPC Poisoning and Bridge Manipulation
In the Kelp DAO case, internal RPC nodes were compromised, and a denial-of-service attack on external nodes directed the bridge's sole validator to poisoned data; approximately 116,500 rsETH was drained despite no burn occurring on the source chain. The Arbitrum Security Council froze a portion of the stolen funds, while the remaining ETH was converted to Bitcoin via THORChain; flows from past breaches like Bybit followed the same route. This highlights the single point of failure risk in cross-chain bridges; RPC poisoning bypassed validation layers to create a phantom burn simulation.
North Korea Hack Share: Year-over-Year Increase Table
| Year | Hack Share (%) |
|---|---|
| 2020-2021 | <10 |
| 2022 | 22 |
| 2023 | 37 |
| 2024 | 39 |
| 2025 | 64 |
| 2026 (April) | 76 |
TRM Labs analysts emphasize that the attackers are honing their tools; manipulations lasting weeks in complex mechanisms like Drift point to AI integration in reconnaissance and social engineering.
DRIFT Delisted: Removed from Upbit and Bithumb
Breaking news: $DRIFT has been delisted from Upbit and Bithumb exchanges. This decision reflects post-hack loss of confidence and impacts the DRIFT futures market. The delisting reduced liquidity and increased price pressure; investors shifted to related assets like ETH and ARB.
Sector Defense: New Strategies for DeFi
This trend reveals the intensification of state-sponsored threats in crypto markets and the need for evolving defense strategies. Recommendations: Multi-RPC redundancy, AI-based anomaly detection, and social engineering training. Similar risks are rising in assets like ETH detailed analysis; protocols should strengthen nonce management and bridge audits.