North Korea Grabs $500M in Crypto During Three-Week Blitz

North Korean hackers just swiped over $500 million from decentralized finance platforms in less than three weeks. The theft adds to Pyongyang’s growing pile of stolen digital assets, which authorities believe bankrolls the regime’s weapons programs. Security researchers are scrambling to figure out how the attacks happened so fast.

Two massive exploits pushed North Korea’s 2026 crypto haul past $700 million. KelpDAO got hit on April 18, losing $290 million in what LayerZero confirmed two days later as a TraderTraitor operation—that’s the Lazarus Group’s calling card. Before that, Drift Protocol on Solana lost $286 million on April 1, making it one of the year’s biggest DeFi disasters. Elliptic, the blockchain intelligence outfit, tied both attacks to North Korean patterns they’ve been tracking. They’ve counted at least 18 similar jobs this year alone.

How the Hackers Got In

The playbook changed. North Korea’s crews aren’t going after core smart contracts anymore. They’re hitting the stuff around the edges instead.

KelpDAO’s breach came through the Remote Procedure Call infrastructure that LayerZero Labs uses for its Decentralized Verifier Network. Attackers didn’t need to crack the main cryptography—they just found a side door through peripheral systems and walked right in. LayerZero had to deprecate the compromised nodes and bring operations back online from scratch. It’s a different game now, and pretty much everyone in DeFi is vulnerable if they’re not watching their entire stack.

The Ketman Project spent six months digging into something worse. Turns out around 100 North Korean operatives have jobs at blockchain companies worldwide. Real jobs. They’re using fake identities, passing background checks, joining product teams. Once they’re inside, they can see everything—codebases, security protocols, deployment schedules. When the time’s right, they strike. ZachXBT exposed one network that’s pulling in roughly $1 million monthly just from fraudulent crypto-to-fiat conversions. That’s separate from the big heists.

Where the Money Goes

North Korea’s total crypto stash sits at $6.75 billion, according to industry estimates. Last year they grabbed $2 billion, including a $1.5 billion score from Bybit exchange. The laundering patterns are specific and kind of weird. They avoid decentralized exchanges almost entirely. Instead, they use Chinese-language guarantee services and over-the-counter broker networks that most Western firms don’t touch. Researchers think that’s not by choice—it probably means they can’t access the usual off-ramps without getting caught.

The money trail shows structural limits in how Pyongyang can move digital assets. Cross-chain mixing helps obscure things, but the reliance on geographically concentrated services creates chokepoints. Law enforcement knows where to look. They just can’t shut it down fast enough.

Security experts keep saying the same thing: DeFi platforms need better internal access controls and faster incident response. The weak points aren’t always in the code itself. Sometimes it’s the infrastructure. Sometimes it’s the people.

More context: North Korea Swipes $500 Million in Two Weeks Through DeFi Exploits

The insider threat is real and growing. Those 100 North Korean operatives embedded in blockchain companies aren’t just collecting paychecks. They’re gathering intelligence, mapping systems, waiting for the perfect moment to execute coordinated attacks. Standard HR checks don’t catch them because the identities are solid—documents, references, work histories, all fabricated but convincing enough to pass muster.

This dual-revenue model works frighteningly well for the regime. IT workers generate steady monthly income while simultaneously positioning themselves for major protocol exploits. When a big attack happens, investigators often find the inside access was established months earlier by someone who seemed like a normal developer or engineer.

The laundering techniques reveal something important about North Korea’s constraints. By sticking to regionalized pathways and avoiding mainstream exchanges, DPRK actors are basically admitting they can’t operate freely in global financial systems. Chinese-language platforms and OTC brokers become essential because other doors are closed. That’s a vulnerability, but one that’s hard to exploit when the networks span multiple jurisdictions and operate in regulatory gray zones.

The $6.75 billion figure represents years of persistent, coordinated effort. North Korea didn’t stumble into this. They built a sophisticated operation that combines traditional hacking skills with social engineering, insider access, and complex money laundering. The Lazarus Group and its offshoots like TraderTraitor have become proficient at identifying vulnerabilities in DeFi protocols, executing attacks with precision, and moving funds before anyone can freeze them.

The April attacks show how quickly things can spiral. $500 million in three weeks isn’t normal, even for North Korea. The pace suggests either improved capabilities or a deliberate acceleration of operations. Maybe both. Security firms are sharing threat intelligence faster now, but the hackers are adapting just as quickly. It’s an arms race, and the defenders are losing ground.

Blockchain companies face a tough problem with no easy fix. How do you screen for operatives using high-quality fake identities? Background checks only work if the background is real. Some firms are implementing more rigorous verification processes, but that slows hiring and doesn’t guarantee results. The operatives are patient. They’ll wait months or years if needed.

See also: Kelp DAO Hack Triggers Finger-Pointing Over $290 Million Crypto Loss

The industry’s response has been fragmented. Some platforms upgraded their security after the April breaches. Others are still running the same vulnerable setups, hoping they won’t be next. Coordination between projects remains spotty, and information sharing about threats happens too slowly to prevent copycat attacks.

North Korea’s $6.75 billion crypto war chest funds missile tests, nuclear programs, and keeps the regime afloat under international sanctions. Every successful heist makes the next one easier to plan and execute.