North Korea's Lazarus Group siphons $575 million in 18 days! Kelp and Drift compromised in succession, DeFi infrastructure layer becomes the new hunting ground

📄Full Article· Automatically extracted by trafilaturaGemini 翻譯2058 words

North Korea's Lazarus Group breached Drift and Kelp in succession within 18 days, siphoning over $575 million in total. A deep-dive analysis by CoinDesk points out that these are not isolated incidents, but a systematic campaign targeting DeFi infrastructure, exposing the fatal gap between the rhetoric of decentralization and the actual architecture. This article is compiled by BlockTempo from CoinDesk. (Previous coverage: North Korean hackers set a record in 2025: $2.02 billion in cryptocurrency stolen, money laundering cycle approximately 45 days) (Background: North Korean government uses hackers to steal nearly NT$43 billion in cryptocurrency from exchanges: used to fund weapons of mass destruction) Chainalysis data shows that North Korea has stolen $2.02 billion in crypto assets in 2025, with the cumulative total exceeding $6.75 billion. It is estimated that since 2017, approximately $3 billion has flowed into nuclear weapons programs and sanctions evasion channels. In the two latest incidents, the Lazarus-affiliated TraderTraitor group struck again in less than three weeks—breaching Drift on April 1 (social engineering to compromise governance signers) and Kelp on April 18 (poisoning LayerZero cross-chain infrastructure). CoinDesk reported that this 18-day plunder caused the entire crypto ecosystem to lose over $575 million. Blockchain security firms initially viewed the two incidents as independent hacks, but CoinDesk's analysis suggests this is more of a "persistent campaign" driven by the financial needs of a sanctioned state. The Lazarus playbook is escalating—evolving from past targeting of exchanges and single-point phishing attacks to systematically locking onto the structural weaknesses of crypto infrastructure. Kelp is a restaking protocol that connects to the LayerZero cross-chain infrastructure. The technical path of this attack, as described by CoinDesk, is as follows: the attacker first compromised two LayerZero DVN (Decentralized Verifier Network) RPC nodes, then launched a DoS flood attack on the clean nodes, forcing the system to failover to the already-poisoned backup nodes. In other words, the attacker did not break the cryptography, but manipulated the data fed into the system, causing it to approve cross-chain transfers that never actually occurred without the system's knowledge. Ultimately, approximately 116,500 rsETH (about 18% of the circulating supply, with a market value of about $292 million) were stolen. Alexander Urbelis, Chief Information Security Officer at ENS Labs, was blunt about this: "A signature guarantees the author, not the truth. A signed lie is still a lie." He pointed out that the system design only verifies who a message comes from, but not whether the message itself is correct—this is not a clever new hacking technique, but rather an issue with "how the system is built." David Schwed, COO of blockchain security firm SVRN, also emphasized that the essence of this attack is not a technical breakthrough: "This attack is not about breaking cryptography; it is about exploiting how the system is built." He warned that if operators identify a security risk in a configuration, they should not offer it as a shipping option to users, adding, "Relying on everyone to read the documentation and do it right is simply unrealistic." Urbelis added that this is not a series of random events, but a rhythmic operation: "This is not a series of events; it is a rhythm. You cannot handle procurement schedules by just applying patches." For the DeFi ecosystem, the Kelp case is particularly alarming—this vulnerability did not introduce any new weaknesses, but once again demonstrated the extent of the entire ecosystem's exposure to known vulnerabilities, especially when security is treated as a "suggestion" rather than a "mandatory requirement." The impact of the Kelp incident did not stop at a single protocol. Aave, a lending platform that accepts rsETH as collateral, bore the brunt of the impact, facing pressure from bad debt exposure, with $8.45 billion in deposits flowing out within 48 hours. The overall DeFi Total Value Locked (TVL) plummeted from $995 billion to $863 billion, evaporating over $13 billion in two days. Schwed used "IOU chain" to describe the systemic fragility of cross-chain DeFi: "These assets are a string of IOUs. A chain is only as strong as the control of each link." When one link breaks, the entire chain is affected. He also questioned DeFi's self-positioning of "decentralization": "A single verifier does not count as decentralization; that is a centralized decentralized verifier." CoinDesk's analysis points out that early crypto hackers were accustomed to targeting exchanges or obvious code flaws; in recent years, Lazarus has shifted significantly toward the "sewer

Data Status✓ Full text extractedRead Original (動區 BlockTempo)

🔍Historical Similar Events· Keyword + Asset Matching6 items

2026-04-21

Kelp DAO hack triggers "DeFi chain reaction": Aave faces potential bad debt of up to $230 million

Similarity 170%關鍵字 defi/kelp同分類 zh

2026-04-20

Aave TVL evaporates by $8 billion, losing its top DeFi spot: $5.1 billion in stablecoins stuck, Umbrella security model faces first stress test

Similarity 170%關鍵字 defi/億美元同分類 zh

2026-04-20

$13.2 billion evaporated in two days! KelpDAO hack triggers massive DeFi capital flight

Similarity 170%關鍵字 defi/億美元同分類 zh

2026-04-19