The Democratic People's Republic of Korea has effectively formalized cyber heists as a state-sponsored industry, executing two distinct operations in 2026 that netted nearly $600 million through deep-cover social engineering and infrastructure manipulation.
Startups often dream of product-market fit, but for North Korean state-sponsored hackers, the market is clearly the cryptocurrency sector, and the product is meticulously planned theft. The atmosphere shifted dramatically this week with the disclosure of the "Drift" incident, a Solana-based decentralized exchange that lost $285 million on April 1. While April Fools' Day might suggest a prank, the post-mortem reveals a terrifying reality: this was not a fly-by-night exploit but a campaign launched in the fall of 2025. We are looking at a six-month endurance test where the attackers, tracked by cybersecurity firms as UNC4736 (also known as Citrine Sleet or Lazarus), patiently built trust before delivering the kill switch.
What makes the Drift heist distinct is the human element. We often imagine these breaches as code breaking against code, but this operation was rooted in psychological manipulation. The DPRK actors did not just hammer the network with requests; they infiltrated the community. Over the course of those six months, they established a rapport with key personnel, gathering the specific intelligence necessary to bypass standard security protocols. It is a stark reminder that in a world of zero-knowledge proofs, the "know-your-customer" gap often lies within the team itself. By the time the assets moved on April 1, the attackers had effectively walked through the front door holding a key they had forged half a year earlier.
Infrastructural Sabotage at Kelp DAO
If the Drift hack was a dagger to the heart, the simultaneous attack on Kelp DAO was a sledgehammer to the infrastructure. Occurring just weeks apart, the Kelp incident involved $290 million in rsETH and demonstrated a completely different attack vector: infrastructure poisoning. Here, the strategy was not patience but precision. The hackers targeted LayerZero's Distributed Verification Network (DVN), compromising specific Remote Procedure Calls (RPCs) while launching DDoS attacks on others. This forced a system failover to poisoned infrastructure, creating a man-in-the-middle scenario at the protocol level. The attackers delivered a malicious instruction to drain 116,500 rsETH, and when Kelp attempted to stem the bleeding by pausing contracts and blacklisting wallets, the protocol's vulnerability to internal panic was exposed.
The Mechanics of a Digital Heist
The technical divergence here is critical for the sector to understand. Drift was breached through a relationship, whereas Kelp was breached through a reliability feature. Kelp DAO, a liquid restaking protocol that routes user-deposited ETH through EigenLayer to earn rewards, relies on the integrity of the DVN to verify transactions. By weaponizing the failover mechanism,a safety net designed to keep the network running during high traffic,the attackers turned a redundancy feature into a trap. The subsequent block of a second transaction worth $95 million was a defensive win, but it highlights a grim reality: stop-loss measures in DeFi are often reactive rather than preventive.
A Maturation of State-Sponsored Cybercrime
Attribution in cybersecurity is notoriously difficult, yet the confidence in pointing to the DPRK is high. UNC4736 and the Lazarus Group are no longer isolated actors; they function as specialized units within a larger economic apparatus. The use of multiple cyptonyms,AppleJeus, Golden Chollima, Gleaming Pisces,signals a mature, segmented operation capable of switching personas and methodologies to suit the target. We are witnessing an evolution from opportunistic hacking to strategic, resource-intensive warfare. The funds siphoned from these protocols are not merely padding a rogue wallet; they are directly fueling a regime isolated from global financial markets.
For founders and investors, the takeaway is immediate and uncomfortable. The threat model has expanded beyond smart contract audits. A solid codebase is no longer sufficient if the communication channels are compromised or the verification infrastructure is susceptible to coercion. Startups must now vet their human operators as rigorously as they vet their nodes. This is the new normal for high-finance DeFi: the code is law, but the person holding the keys is the variable.
Also read: Berenberg ditches bonds entirely and tells investors to put 45% of their portfolio into gold silver and bitcoin • Russia passes sweeping crypto bill allowing Bitcoin in foreign trade as sanctions reshape global payments • Coinbase just became a federally regulated bank and the reaction says everything about where crypto stands right now
