Lazarus steals $577M in 18 days

North Korea-linked Lazarus hackers were linked to two of April’s biggest decentralized finance thefts: Drift Protocol on April 1 and Kelp DAO on April 18. (coindesk.com 1) (coindesk.com 2) Drift, a Solana-based trading protocol, said attackers stole about $280 million to $285 million after a six-month infiltration campaign that began around a crypto conference in fall 2025. (theblock.co) (cointelegraph.com) Kelp DAO, a restaking protocol, lost about $292 million on April 18 when an attacker drained 116,500 rsETH through its LayerZero-based bridge. Kelp’s emergency multisig froze contracts about 46 minutes later and blocked two follow-up attempts. (theblock.co) (coindesk.com) A bridge is the plumbing that moves tokens between blockchains, and Kelp’s failure was not a simple smart-contract bug. Chainalysis said attackers compromised internal Remote Procedure Call nodes, knocked external nodes offline, and fed false data into a one-of-one verification setup so Ethereum released funds for a burn that never happened. (chainalysis.com) Drift’s case looked different on the surface but hinged on the same weak point: people and permissions outside the code itself. Drift said the attackers posed as a quantitative trading firm, built relationships across multiple conferences, and put more than $1 million of their own money into a Drift vault before cashing out. (theblock.co) (coindesk.com) That matters because both incidents bypassed the usual crypto debate over audited code and on-chain transparency. In Kelp’s case, Chainalysis said every on-chain transaction looked valid, while Drift described a “structured intelligence operation” that required months of preparation. (chainalysis.com) (cointelegraph.com) The fallout spread beyond the hacked protocols. The Kelp exploit triggered about $10 billion in outflows from Aave and pushed total DeFi value locked down 7% in 24 hours to $86 billion, according to The Block’s report on LayerZero’s findings. (theblock.co) The money trail also moved fast. Cointelegraph reported that wallets tied to the Kelp exploit laundered most of 75,700 Ether through THORChain, while about $71 million remained frozen by Arbitrum’s security council. (cointelegraph.com) Security researchers say the campaign fits a broader North Korean playbook that now mixes malware, fake identities, third-party intermediaries and infrastructure attacks. Chainalysis said North Korean hackers stole $2.02 billion in crypto in 2025 alone, pushing their all-time total to $6.75 billion. (chainalysis.com) (cointelegraph.com) By late April, the headline number was no longer one hack but two: more than $575 million drained from DeFi in 18 days, with trust in operators, signers and infrastructure now under the same scrutiny as the code. (coindesk.com)