North Korea’s crypto heist playbook is expanding and DeFi keeps getting hit
More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks. What once looked like isolated breaches now resembles a sustained campaign, likely driven by the financial needs of a sanctioned state.
North Korea’s crypto heist playbook is expanding and DeFi keeps getting hit
More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks. What once looked like isolated breaches now resembles a sustained campaign, likely driven by the financial needs of a sanctioned state.
The Kelp exploit shows North Korea’s Lazarus Group is evolving beyond isolated hacks, rapidly shifting tactics from social engineering to exploiting structural weaknesses in crypto infrastructure, suggesting a sustained, state-driven campaign rather than one-off incidents.
The attack did not break cryptography but exploited known design choices and weak configurations, exposing how gaps between “decentralization” in theory and real-world implementation continue to create systemic risk across DeFi.
“This is not a series of incidents; it is a cadence,” said Alexander Urbelis, chief information security officer and general counsel at ENS Labs. “You cannot patch your way out of a procurement schedule.”
More than $500 million was siphoned across the Drift and Kelp exploits in just over two weeks.
How Kelp was breached
At its core, the Kelp exploit did not involve breaking encryption or cracking keys. The system actually worked the way it was designed to. Rather, attackers manipulated the data feeding into the system and forced it to rely on those compromised inputs, causing it to approve transactions that never actually occurred.
“The security failure is simple: a signed lie is still a lie,” Urbelis said. “Signatures guarantee authorship; they do not guarantee truth.”
In simpler terms, the system checked who sent the message, not whether the message itself was correct. For security experts, that makes this less about a clever new hack and more about exploiting how the system was set up.
“This attack wasn’t about breaking cryptography,” said David Schwed, COO of blockchain security firm SVRN. “It was about exploiting how the system was set up.”
“If you’ve identified a configuration as unsafe, don’t ship it as an option,” Schwed said. “Security that depends on everyone reading the docs and getting it right is not realistic.”
The fallout has not stayed limited to Kelp. Like many DeFi systems, its assets are used across multiple platforms, meaning problems can spread.
“These assets are a chain of IOUs,” Schwed said. “And the chain is only as strong as the controls on each link.”
When one link breaks, others are affected. In this case, lending platforms like Aave that accepted the impacted assets as collateral are now dealing with losses, turning a single exploit into a wider stress event.
Decentralization marketing
The attack also exposes a gap between how decentralization is marketed and how it actually works.
“A single verifier is not decentralized,” Schwed said. “It’s a centralized decentralized verifier.”
Urbelis puts it more broadly.
“Decentralization is not a property a system has. It is a series of choices,” he said. “And the stack is only as strong as its most centralized layer.”
In practice, that means even systems that appear decentralized can have weak points, especially in the less visible layers like data providers or infrastructure. Those are increasingly where attackers are focusing.
That shift may explain Lazarus’ recent targeting.
The group has begun zeroing in on cross-chain and restaking infrastructure, Urbelis said, the parts of crypto that move assets between systems or allow them to be reused.
These layers are critical but complex, often sitting underneath more visible applications. They also tend to hold large amounts of value, making them attractive targets.
If earlier waves of crypto hacks focused on exchanges or obvious code flaws, recent activity suggests a move toward what could be called the industry’s plumbing, the systems that connect everything together, but are harder to monitor and easier to misconfigure.
As Lazarus continues to adapt, the biggest risk may not be unknown vulnerabilities, but known ones that are not fully addressed.
The Kelp exploit did not introduce a new kind of weakness. It showed how exposed the ecosystem remains to familiar ones, especially when security is treated as a recommendation rather than a requirement.
And as attackers move faster, that gap is becoming both easier to exploit and far more expensive to ignore.
Aave published a report outlining two possible outcomes: around $123 million in losses if damage is shared across all rsETH, or up to $230 million if confined to Layer 2s, with the final impact depending on how Kelp DAO allocates the shortfall.
What to know:
Aave’s incident report found that the rsETH exploit created unbacked collateral used to borrow roughly $190 million, leaving the protocol exposed to potential bad debt despite its systems functioning as designed.
The report outlines two possible outcomes, around $123 million in losses if damage is shared across all rsETH, or…
