Kelp DAO exploit & Drift hack: DPRK-linked $578M raises DeFi risk

North Korea-linked actors are suspected in April’s major crypto attacks, with the Kelp DAO exploit and the April Fools’ Day Drift hack pushing losses to at least $578M. Traders should treat the Kelp DAO exploit as a signal that DPRK groups are targeting cross-chain and operational infrastructure (not just “code exploits”). Kelp DAO reported a $292M hack on Saturday, one of the biggest incidents so far this year. The incident was tied to LayerZero cross-chain messaging infrastructure and traced to a LayerZero configuration/infrastructure issue. LayerZero said Kelp DAO’s use of a single verifier configuration enabled approvals for cross-chain messages, and “preliminary indicators” pointed to TraderTraitor, a North Korea-affiliated subgroup of the Lazarus Group. Investigator Tanuki42 added that funds stolen from the Kelp DAO exploit have commingled with earlier TraderTraitor-linked thefts, including wallet links connected to the $1.4B Bybit hack in Feb 2025. The same month also saw a $285M exploit at Drift (a Solana-based decentralized perpetuals exchange) on April 1, attributed to DPRK activity—bringing total April DPRK-attributed thefts to at least $578M across multiple incidents. Governance response: Arbitrum’s Security Council froze 30,766 ETH related to the Kelp DAO exploit. This highlights the trader tradeoff between limiting further losses and the market implications of governance intervention on “neutral” rollup infrastructure. Broader context: the FBI’s 2025 IC3 report said crypto-related complaints rose 21% with $11.37B in losses. Separately, Zerion reported about $100k stolen via AI-assisted social engineering linked to DPRK actors. For positioning, the Kelp DAO exploit reinforces a near-term risk window where “periphery” infrastructure (RPC/data pathways, verifiers, vendors, permissions) may be the weak link—potentially lifting counterparty risk and risk premia for DeFi and cross-chain markets.
Bearish
This is a direct reminder that DPRK-linked groups may be moving from isolated contract exploits to cross-chain and operational infrastructure attacks. The Kelp DAO exploit (tied to LayerZero configuration/verifier controls) plus the large Drift loss can increase near-term “risk premia” and counterparty concerns across DeFi and cross-chain ecosystems. The Arbitrum Security Council freezing 30,766 ETH also signals active governance disruption that markets may price as additional friction. Over the longer run, attackers’ demonstrated tradecraft (compromising infrastructure components and exploiting weakest links via third parties) supports a sustained security-risk narrative, which can keep sentiment pressured and volatility elevated.