North Korea's Lazarus Group orchestrated two massive cryptocurrency thefts totaling $577 million in April 2026, accounting for 76 percent of all crypto theft in the first four months of the year. Unlike traditional smart contract exploits, these attacks relied on six months of social engineering, compromised devices, and vulnerabilities in blockchain bridges. The incidents mark a troubling shift in how DeFi (decentralized finance) protocols face threats, moving from code-based vulnerabilities to state-sponsored intelligence operations.

What Happened in the Drift Protocol Attack?

On April 1, 2026, attackers drained Drift Protocol, the largest decentralized perpetual futures exchange on Solana, of approximately $285 million in user assets within twelve minutes. The theft was not the result of a smart contract flaw. Instead, it was the culmination of six months of methodical preparation by operatives working for North Korea's government.

The attack began in October 2025 at a major crypto conference, where individuals posing as representatives of a quantitative trading firm approached Drift contributors. These operatives had verified professional backgrounds, demonstrated technical fluency, and asked legitimate questions about integrating with a perpetuals protocol. Over the following six months, the same operatives appeared at multiple global industry events, deepening relationships with specific Drift contributors. A Telegram group was established for discussing trading strategies and integration possibilities.

From December 2025 through January 2026, the fake trading firm "onboarded an ecosystem vault" with Drift, submitting strategy details and depositing over $1 million into the protocol as a partner. By February and March 2026, relationships were deep enough that contributors trusted these counterparties to share code repositories and applications. The attackers used two malware vectors: one involved sharing repositories containing code that could trigger silent code execution through a then-unpatched vulnerability in VSCode or Cursor (an AI-augmented code editor), and another involved a contributor downloading what appeared to be a wallet product distributed through Apple's TestFlight beta-testing platform, which compromised the device.

Once attackers had access to the right machines and wallets, they obtained multisig approvals from two of the five Security Council signers needed to execute pre-signed transactions. On April 1, the attackers executed two pre-signed transactions four block slots apart, seizing admin control, introducing a synthetic asset called CarbonVote Token (CVT) into the spot market, manipulating its price through wash trading on two decentralized exchanges, and raising the protocol's USDC withdrawal limit to 500 trillion. The stolen assets were swapped to USDC through Jupiter, Solana's largest DEX (decentralized exchange) aggregator, and bridged approximately 129,000 ETH worth $270 million to Ethereum through Circle's CCTP (Cross-Chain Transfer Protocol).

How Did the KelpDAO Breach Unfold?

Seventeen days after the Drift attack, on April 18, 2026, attackers drained $292 million from KelpDAO, a restaking protocol, by manipulating a single-verifier configuration in its LayerZero bridge. The two attacks combined accounted for roughly 95 percent of April's $625 million in crypto theft, making April 2026 the worst month for crypto security in recorded history. Year-to-date theft through April crossed $1 billion, with TRM Labs pinning 76 percent of the entire 2026 total on these two attacks, both attributed to the same threat actor.

The KelpDAO breach triggered a DeFi bank-run risk after rsETH collateral spread through Aave, a major lending protocol. This incident exposed one of the biggest vulnerabilities in modern DeFi: cross-chain bridge security. Unlike the Drift attack, which relied on social engineering and compromised devices, the KelpDAO theft exploited a technical weakness in bridge infrastructure.

Why Are Blockchain Bridges Such Attractive Targets?

Blockchain bridges are protocols that allow the transfer of assets, information, or messages between one blockchain and another. They are essential infrastructure in Web3, enabling users to move funds across networks like Ethereum, Solana, and BNB Chain without relying on centralized exchanges. However, because of the abundant value locked in these contracts, blockchain bridges are a common target for attacks.

Most modern bridges operate as smart contract bridges, using automated code to accept deposits, validate transactions, and issue tokens on other networks without manual mediation. The security of these bridges depends heavily on code audits, monitoring, and verification procedures. Many bridges use a lock-and-mint model, where users lock tokens in a smart contract on the source network, and an equivalent amount of tokens is minted on the destination chain. Others use wrapped tokens, which are representations of third-party assets on a blockchain. Though wrapped assets increase interoperability, they are subject to the security of the bridge on which they are based.

How to Understand the Shift in DeFi Threats?

• From Code to Credentials: The 2020-era worry was smart contract bugs and flash loan exploits, vulnerabilities in code. The 2026 reality is sustained, multi-country, multi-month operations run by intelligence professionals who do not need a code exploit because they already have the keys. They just had to convince someone to hand them over.
• Social Engineering as a Weapon: The Drift attack demonstrates that blockchain security now depends on human, operational, and bridge-layer defenses, not just cryptographic algorithms. Attackers spent six months building real relationships with engineers, attending conferences in person, and establishing trust before extracting the signatures they needed.
• Bridge Vulnerabilities as Systemic Risk: The KelpDAO breach showed that a single vulnerable bridge node can drain hundreds of millions of dollars. As Web3 becomes increasingly interconnected, bridge security becomes a critical systemic risk for the entire ecosystem.

Who Is Behind These Attacks?

The threat actor behind both attacks is the Lazarus Group, the umbrella name Western intelligence agencies use for state-sponsored hacking operations run out of North Korea's Reconnaissance General Bureau, the country's primary intelligence agency. Since 2017, Lazarus and its sub-units have stolen over $6 billion in cryptocurrency. By Chainalysis figures, $2.06 billion of that was stolen in 2025 alone, driven primarily by the catastrophic $1.5 billion Bybit hack in February of that year, the largest crypto theft in history. The 2026 pace puts the group on track to comfortably pass the 2025 total.

Drift has clarified that the individuals at those in-person meetings were not North Korean nationals. Lazarus operations almost always use third-party intermediaries for face-to-face contact, with the actual technical operators staying inside North Korea or China. This layered identity structure is one of the defining features of Lazarus campaigns, according to blockchain investigator ZachXBT, who has been tracking North Korean crypto operations for years.

What Does This Mean for the Broader Blockchain Ecosystem?

This is not a crypto security story in any conventional sense. The threats DeFi protocols face today are not the threats they were designed to defend against. Blockchain itself may be secure, but the ecosystem around it is often vulnerable. Modern blockchain security includes protecting wallets, smart contracts, decentralized applications, validator nodes, and cross-chain ecosystems. As blockchain adoption grows across finance, healthcare, supply chain management, and Web3 platforms, understanding blockchain security becomes increasingly important for businesses, developers, and everyday users.

The Drift and KelpDAO attacks show that DeFi security now depends on human, operational, and bridge-layer defenses. This is no longer a crypto security problem in the traditional sense. It is a state-sponsored intelligence operation, run by a country that uses the proceeds to fund its weapons program. The industry is only just starting to admit it.