A string of large April heists tied to North Korea-linked actors has exposed shifting attacker tactics and reignited debates over intervention in decentralized systems.
Kelp DAO lost roughly $292 million in a Saturday exploit, surpassing the earlier Drift incident as the largest crypto theft of the year so far. Investigators and cross-chain infrastructure provider LayerZero say the breach stemmed from a misconfiguration in LayerZero’s messaging setup: Kelp DAO used a single verifier to approve cross-chain messages, a weakness attackers exploited.
LayerZero’s “preliminary indicators” point to TraderTraitor, a subgroup associated with North Korea’s state-backed Lazarus Group. Blockchain investigator Tanuki42 reported that funds from the Kelp DAO theft commingled with wallets linked to prior TraderTraitor activity, including flows connected to the $1.4 billion Bybit breach in February 2025. Combined with a $285 million exploit of the decentralized exchange Drift on April Fools’ Day, suspected DPRK-linked crypto thefts for April total at least $578 million—two of the largest heists attributed to DPRK actors since Bybit.
Evolving tactics and recruitment
Security researchers and U.N. investigators have documented DPRK-linked operatives posing as IT developers to secure remote work at technology firms, generating revenue for Pyongyang. In March, the U.S. Treasury sanctioned six individuals and two entities for alleged roles in North Korean IT worker fraud schemes, and the FBI has urged employers to verify candidates’ histories and require in-person meetings.
The Drift case suggests tactics are evolving beyond remote recruitment. Attackers reportedly met contributors in person at a major crypto conference in November while posing as a quantitative trading firm, slowly building credibility before carrying out the exploit. Smaller-scale incidents continue: wallet provider Zerion said DPRK-linked actors used AI-assisted social engineering to drain about $100,000 in a separate theft.
North Korea rarely admits involvement in cyber operations; its foreign ministry denied such accusations in 2020 and accused the United States of maligning its reputation.
Retail scams and spillover effects
Crypto fraud is also rising in the consumer realm. The FBI’s Internet Crime Complaint Center (IC3) reported a 21% increase in crypto-related complaints in its 2025 annual report: 181,565 complaints and $11.37 billion in losses, accounting for over half of reported losses across all sectors. Older Americans filed the most crypto complaints, and investment scams were the largest category.
DPRK-linked campaigns overlap with retail fraud and freelancer platforms. Telefónica analyst Heiner García encountered a suspected operative attempting to use him as a proxy to bypass VPN checks on freelancing sites—a technique that can involve installing remote-access software to make activity appear local. U.S. enforcement actions have targeted supporting infrastructure: in August 2024, Matthew Isaac Knoot was arrested for running a “laptop farm” that helped DPRK IT workers pose as U.S.-based employees; in July 2025, Christina Chapman was sentenced to more than eight years for assisting North Korean IT workers in earning over $17 million.
Freezes, governance and the decentralization debate
In response to the Kelp DAO breach, the Arbitrum Security Council froze 30,766 ETH tied to the exploit. The freeze prevented further movement of those funds but reopened tensions between pragmatic intervention and principled noninterference. Some security experts welcomed the action as a loss-mitigation move; others criticized it as contrary to decentralization ideals.
Ledger CTO Charles Guillemet called the outcome “probably” good but uncomfortable, noting the freeze highlighted an authority already built into governance structures. The Arbitrum council did not exploit a bug but exercised intended override powers, demonstrating that assets on some rollups remain subject to governance decisions.
What this means for the industry
The Kelp DAO incident underscores a broader shift: attackers increasingly target infrastructure and configuration weaknesses rather than relying solely on smart contract bugs. DPRK-linked groups appear well-resourced and persistent, probing systems across multiple fronts—from supply-chain and staffing fraud to social engineering and protocol-level interventions.
The industry is divided. Some accept governance intervention as a practical way to limit losses and recover stolen assets. Others argue such interventions undermine decentralization and set uncomfortable precedents. Either way, these incidents illustrate that defending crypto ecosystems now requires not only smart contract audits but stronger operational security, cross-chain configuration checks, and vigilance against social engineering and recruitment fraud.