Kelp DAO suffered a $292 million hack on Saturday, surpassing Drift as the largest crypto exploit of the year so far. Investigators and infrastructure provider LayerZero attribute the breach to a failure in LayerZero’s cross-chain messaging setup, specifically Kelp DAO’s use of a single verifier configuration to approve cross-chain messages.
LayerZero said “preliminary indicators” point to TraderTraitor, a subgroup tied to North Korea’s state-backed Lazarus Group. Blockchain investigator Tanuki42 reported that funds taken in the Kelp DAO incident have commingled with wallets linked to previous TraderTraitor operations, including flows related to the $1.4 billion Bybit hack in February 2025.
The Kelp DAO breach, together with an April Fools’ Day exploit on decentralized exchange Drift that totaled $285 million, brings suspected North Korea-linked crypto thefts to at least $578 million in April. These two attacks are the largest heists attributed to DPRK actors since Bybit.
Tactics and recruitment
Security researchers and the United Nations have documented DPRK-linked operatives posing as IT developers to secure remote jobs at tech firms, a method that generates revenue for Pyongyang’s programs. In March, the U.S. Treasury sanctioned six individuals and two entities for alleged roles in North Korean IT worker fraud schemes. The FBI issued guidance recommending employers verify candidates’ professional histories and require in-person meetings.
The Drift breach shows DPRK tactics evolving: attackers reportedly approached contributors in person at a major crypto conference in November while posing as a quant trading firm, then continued to build trust before the exploit. Smaller-scale attacks persist as well—crypto wallet provider Zerion said DPRK-linked actors used AI-assisted social engineering to steal about $100,000 in a separate incident.
North Korea rarely acknowledges such accusations; in 2020 its foreign ministry denied involvement in cyberattacks and accused the United States of trying to tarnish its image.
Retail scams and broader spillover
The FBI’s Internet Crime Complaint Center (IC3) reported a 21% increase in crypto-related complaints in its 2025 annual report. Cryptocurrency cases accounted for 181,565 complaints, resulting in $11.37 billion in losses—more than half of reported losses across sectors. Older Americans aged 60 and above filed the most crypto complaints; investment scams were the largest category, with 61,559 complaints total and 13,685 from people 60 and older.
DPRK-linked operations also overlap with retail fraud and freelancer platforms. Telefónica cyberthreat analyst Heiner García encountered a suspected North Korean operative who tried to use him as a proxy to bypass VPN restrictions on freelancing sites, a tactic that installs remote access software (e.g., AnyDesk) to make activity appear local. In August 2024, the U.S. Department of Justice arrested Matthew Isaac Knoot for running a “laptop farm” that enabled DPRK IT workers to pose as U.S.-based employees using stolen identities. In July 2025, Christina Chapman was sentenced to more than eight years for helping North Korean IT workers earn over $17 million.
Freezing stolen funds and the decentralization debate
A notable response to the Kelp DAO hack was the Arbitrum Security Council’s decision to freeze 30,766 ETH linked to the exploit. That action reignited debates about intervention versus noninterference in crypto. Some industry participants and security experts welcomed the freeze as likely preventing further losses; others criticized interventions that conflict with decentralization ideals.
Ledger CTO Charles Guillemet called the outcome “probably” good but uncomfortable, noting the freeze made explicit an authority built into governance structures. The Arbitrum council didn’t exploit a bug; it exercised designed override powers, highlighting that assets on current rollups can still be affected by governance decisions under certain conditions.
The Kelp DAO incident also underscores a shift in attacker focus from purely smart contract bugs to weaknesses in supporting infrastructure and configuration. North Korea-linked groups have become well-resourced and persistent adversaries capable of probing systems across multiple fronts, leaving the industry divided between accepting intervention to mitigate losses or accepting irreversible thefts in the name of principled decentralization.
