Lazarus / TraderTraitor steals $577M from Drift + KelpDAO inside three weeks
DPRK state-sponsored umbrella set associated with the Reconnaissance General Bureau. Mixes financially-motivated operations (including major cryptocurrency exchange thefts and SWIFT-network bank intr…
Summary
North Korean operators hit two DeFi protocols inside a seventeen-day window in April 2026: Drift Protocol on 1 April ($285M) and KelpDAO's LayerZero bridge on 18 April ($292M). The combined $577M, combined with the February 2025 Bybit theft, drove North Korea's share of all cryptocurrency-hack value to 76% in 2026 through April per TRM Labs tracking — the highest single-actor concentration of crypto-theft attribution since continuous tracking began. Initial access for both incidents traced to the same TraderTraitor recruiter- persona social-engineering of engineers at the victim ecosystem (a continuation of the DMM Bitcoin / Ginco LinkedIn-lure tradecraft pattern from 2024).
Tags
Primary source
trmlabs.comOther Lazarus Group events
- 2025-02-21Lazarus / TraderTraitor executes $1.5B Bybit heist — largest crypto theft in history
- 2024-12-23FBI attributes $308M DMM Bitcoin theft to DPRK TraderTraitor
- 2023-03-293CX Desktop App supply-chain compromise
- 2022-03-29Ronin Network bridge theft (~$620M)
- 2017-05-12WannaCry global ransomware outbreak