- North Korea has been behind nearly every major crypto hack that traders remember, with the KelpDAO and LayerZero-linked exploit.
- The latest attack drained about $290 million to $292 million, placing it near the top of the modern crypto hack list.
- Analysts said the attackers did not break core cryptography but instead exploited infrastructure and verification design.
North Korea-linked hackers are once again at the center of the crypto security debate after the KelpDAO exploit pushed another major DeFi breach onto the list of the industry’s biggest thefts.
On X, Stacy Muur wrote that North Korea has been behind almost every major crypto hack the market remembers, listing Bybit at $1.5 billion, Ronin at $620 million, DMM Bitcoin at $308 million, WazirX at $235 million, and several other incidents tied to Lazarus, APT38, TraderTraitor, or affiliated units.
Her key point was direct: Kelp / LZ is now to be placed as number four on that list. Reports tied the KelpDAO exploit to roughly $290 million to $292 million, placing it just behind the largest known DPRK-linked crypto thefts and ahead of many of the sector’s best-known breaches.
Analyst Shows a Repeating Pattern
The list posted by Stacy Muur does more than recap old cases. It shows a consistent pattern across multiple years, platforms, and attack styles. Bybit, Ronin, DMM Bitcoin, WazirX, Atomic Wallet, Harmony, Alphapo, Radiant, Upbit, and Stake all appear in the same broader narrative: state-linked North Korean actors repeatedly targeting crypto infrastructure at scale.
That is why the KelpDAO incident matters beyond the amount stolen. It is not an isolated event. It fits into a long-running campaign that keeps evolving while remaining concentrated on high-value crypto targets.
Additionally, the timing has raised an alarm. A separate update circulating on X said more than $500 million was siphoned through the Drift and Kelp vulnerabilities in just over two weeks, reinforcing the idea that DeFi has entered another period of concentrated stress.
KelpDAO Shows The Playbook is Changing
A previous report said the attackers compromised some of the infrastructure used to verify cross-chain transactions, fed false data into the system, and used fraudulent transactions to release funds.
That lines up with the earlier view that the breach was not a simple cryptographic break. Instead, it targeted operational assumptions, validator trust, and weak system configuration. Yesterday’s report also quoted David Schwartz saying the exploit took advantage of KelpDAO’s “laziness,” pointing to its weaker verification setup.
Tech-focused reporting added that the attackers took control of servers involved in transaction verification, while other commentary stressed that the exploit exposed structural weaknesses in DeFi infrastructure rather than flaws in basic blockchain math.
DeFi Faces a Broader Security Warning
Latest reports described April as DeFi’s worst month after the $292 million breach, while another post said the market now treats another $100 million-plus hack this year as virtually certain.
This means the discussion is no longer only about one protocol’s loss. It is about whether DeFi’s infrastructure has become the next primary battlefield for state-backed cyber operations.
North Korea’s crypto theft playbook now appears broader, more technical, and more infrastructure-focused than before. Stacy Muur’s list shows the history. KelpDAO shows the new direction.
Related: David Schwartz Says KelpDAO’s Laziness Enabled The North Korean Hack
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
