North Korea-Linked Hackers Stole $500M+ in Crypto in April

North Korea-linked hackers reportedly stole more than $500 million in cryptocurrency during April 2026, based on a string of major exploits that hit decentralized finance protocols within days of each other.

How the Reported April Crypto Theft Exceeded $500 Million

The bulk of the reported losses trace back to two large incidents. Blockchain analytics firm Elliptic identified a $286 million exploit of Drift Protocol as a suspected DPRK-linked attack. Separately, security researchers attributed a roughly $290 million breach of KelpDAO to the same group of state-backed actors, according to SecurityWeek reporting.

Drift Protocol confirmed the incident on X, acknowledging the breach and initiating recovery efforts. KelpDAO published its own incident statement through LayerZero, detailing the attack vector and response timeline.

Combined, the two exploits alone reportedly exceeded $570 million in stolen funds. The scale of April's losses stands out even in a year that has already seen billions drained from crypto protocols, a pattern consistent with what earlier reporting described as a shift in attacker strategy from targeting code vulnerabilities to compromising access keys.

Why the Attacks Are Being Linked to North Korea

Attribution in both cases relies on blockchain tracing and wallet movement patterns that Elliptic and other investigators linked to clusters previously associated with North Korea-backed hacking groups. These groups, often referred to under umbrella labels like Lazarus Group, have been tied to billions in cumulative crypto theft over recent years.

The U.S. Treasury Department has previously sanctioned wallets and entities connected to North Korean cyber operations, as documented in its press releases on DPRK-related sanctions. The April incidents reportedly follow similar laundering patterns observed in those earlier cases.

Attribution remains a reported assessment rather than a confirmed conclusion. Investigators base their claims on on-chain forensics and behavioral fingerprints, but definitive state-level attribution typically requires corroboration from intelligence agencies.

What the Theft Means for Crypto Security and Market Confidence

The April theft spree highlights persistent vulnerabilities across DeFi infrastructure. A separate incident flagged by Google involved an npm supply chain attack targeting the Axios library, underscoring that threats extend beyond smart contract exploits into developer tooling.

For protocols and exchanges, the immediate pressure falls on improving key management, monitoring for suspicious wallet interactions, and cooperating with blockchain analytics firms to freeze stolen assets before they are laundered. Regulators already engaged in compliance disputes with major exchanges are likely to use incidents of this scale to push for stricter anti-money-laundering requirements in decentralized finance.

The fallout also raises questions about how stolen funds move after an exploit. Laundering routes increasingly involve cross-chain bridges and privacy protocols, and even legitimate infrastructure providers such as stablecoin payment networks face scrutiny over whether their systems can be exploited in the process.

Users holding funds in DeFi protocols face a reminder that smart contract risk and infrastructure-level attacks remain material threats regardless of market conditions. Platforms that fail to demonstrate robust security practices risk losing both user trust and regulatory standing.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.