Devoured - May 01, 2026
How North Korean spies spent months to drain $285 million from Drift (2 minute read)

How North Korean spies spent months to drain $285 million from Drift (2 minute read)

Crypto securitydefi Read original

North Korean hackers have evolved from remote attacks to months-long in-person social engineering campaigns, now accounting for 76% of 2026's crypto exploits worth nearly $600 million.

What: North Korean state-backed groups, primarily Lazarus and DPRK, are responsible for 76% of 2026 crypto hack losses totaling nearly $600 million and over $6 billion since 2017. Their tactics now include unprecedented in-person social engineering like the $285M Drift Protocol breach and sophisticated key compromises like the $292M KelpDAO attack.
Why it matters: The shift from remote keyboard operations to months-long in-person infiltration represents a fundamental evolution in crypto security threats, while the KelpDAO breach triggered one of DeFi's largest cascading failures with $13 billion in withdrawals and left Aave with a $200 million bad-debt crisis.
Takeaway: Protocol teams should implement multisig controls with timelocks on deployer keys and scrutinize long-term in-person business relationships for potential social engineering risks.
Deep dive
  • North Korean proxies conducted months of in-person meetings with Drift Protocol employees before executing the $285 million exploit, marking what TRMLabs calls "unprecedented" escalation from purely remote operations
  • The Drift attackers converted proceeds to USDC, bridged to Ethereum, swapped to ETH, and haven't moved funds since the theft, consistent with DPRK's patient multi-year cashout pattern
  • The $292 million KelpDAO breach exploited a known single-verifier flaw that LayerZero had repeatedly warned against, demonstrating protocols ignoring basic security recommendations
  • Lazarus immediately laundered KelpDAO proceeds through THORChain and Umbra using Chinese intermediaries following the documented TraderTraitor playbook, contrasting sharply with DPRK's patient approach
  • The KelpDAO exploit triggered $13 billion in withdrawals from DeFi lending platforms over 48 hours, with Aave losing $8.54 billion in deposits and facing nearly $200 million in bad debt
  • Industry participants pledged $300 million to help backstop Aave's bad-debt crisis, one of the largest coordinated rescue efforts in DeFi history
  • The Wasabi Protocol exploit used a similar technical approach to Drift, draining $4.5 million via a compromised deployer key with no timelock or multisig protection
  • TRMLabs emphasizes North Korea's campaign is becoming "sharper" rather than broader, with faster and more precise execution than previous years
  • The cumulative $6 billion in attributed crypto theft since 2017 represents a significant funding source for the North Korean regime
  • The evolution to in-person social engineering suggests North Korean operatives are establishing legitimate-seeming business relationships before executing attacks
Decoder
  • DPRK: Democratic People's Republic of Korea (North Korea); one of two main state-backed hacking groups mentioned
  • Lazarus: North Korean state-backed hacking group responsible for major crypto exploits and the 2014 Sony Pictures hack
  • Multisig: Multi-signature wallet requiring multiple private keys to authorize transactions, providing security against single points of compromise
  • Timelock: Smart contract mechanism that delays transaction execution, giving protocol teams time to detect and prevent malicious changes
  • LayerZero: Cross-chain interoperability protocol that had warned KelpDAO about single-verifier security flaws
  • THORChain: Decentralized liquidity protocol used for cross-chain swaps, often exploited for laundering stolen crypto
  • TraderTraitor: Documented money laundering playbook involving Chinese intermediaries to convert stolen crypto to fiat
  • Aave: Major DeFi lending protocol that suffered $8.54 billion in deposit withdrawals and $200 million bad debt from the KelpDAO exploit contagion
Original article

North Korean state-backed groups, including Lazarus, now account for 76% of 2026 crypto exploit losses, totaling nearly $600 million. Tactics have evolved from remote attacks to sophisticated, months-long in-person social engineering, exemplified by the $285 million Drift Protocol breach and the $292 million KelpDAO exploit.