Drift and Kelp Exploits: $500 Million Siphoned in State-Sponsored Campaign

More than $500 million in cryptocurrency was siphoned from decentralized finance platforms in two separate exploits over a span of just over two weeks in April 2026, marking one of the largest sustained cyber theft campaigns attributed to state-linked actors in the history of digital assets.

The incidents, dubbed the Drift and Kelp exploits by blockchain security researchers, occurred on April 8 and April 19, 2026, respectively, and targeted vulnerabilities in cross-chain bridge protocols and liquidity pools within the Ethereum and Solana ecosystems. Together, the thefts represent a coordinated escalation in the frequency and scale of attacks originating from infrastructure linked to North Korea’s Lazarus Group, according to multiple cybersecurity firms tracking the activity.

Chainalysis, in a threat intelligence update released on April 20, 2026, confirmed that the Drift exploit resulted in the loss of approximately $220 million in various digital assets, including USDC, wETH, and staked SOL, after attackers exploited a flaw in the protocol’s validator approval mechanism. The Kelp exploit, which occurred eleven days later, drained over $280 million from a liquidity aggregator on the Solana network through a series of flash loan attacks that manipulated oracle prices to mint and drain value from synthetic asset vaults.

Both incidents followed a similar pattern: initial compromise via social engineering of developer accounts, followed by the deployment of malicious smart contracts that bypassed multi-signature controls and routed funds through a series of mixers and cross-chain swaps before final consolidation in wallets associated with known Lazarus Group clusters. Elliptic’s blockchain analysis, published alongside Chainalysis’ report, traced over 80% of the stolen funds to addresses previously linked to North Korea’s Reconnaissance General Bureau, the state entity overseeing the country’s cyber operations.

The scale and timing of the attacks suggest a shift from opportunistic hacking to a sustained fundraising campaign, likely driven by the need to circumvent international sanctions that have severely restricted North Korea’s access to traditional financial systems. Since 2022, UN sanctions have limited the country’s ability to export coal, textiles, and seafood, while freezing overseas assets and banning luxury goods imports. In response, Pyongyang has increasingly turned to cybercrime, particularly cryptocurrency theft, to generate hard currency for its weapons programs and regime survival.

According to a 2025 report by the United Nations Panel of Experts on North Korea, cyber operations generated an estimated $1.2 billion for the regime between 2020 and 2023, with over half derived from cryptocurrency-related thefts and laundering. The 2026 incidents alone account for nearly 42% of that total in under a month, indicating a significant acceleration in operational tempo.

Decentralized finance platforms have become frequent targets due to their open-source nature, complex smart contract interactions, and often inadequate security audits. Unlike centralized exchanges, which can freeze accounts or reverse transactions under regulatory pressure, DeFi protocols lack central authority, making recovery of stolen funds nearly impossible. In both the Drift and Kelp cases, the affected platforms issued public statements acknowledging the breaches but confirmed that no user funds could be recovered due to the immutable nature of blockchain transactions.

In response, several blockchain security firms, including Immunefi and CertiK, have urged DeFi projects to implement stricter access controls, multi-layered validation for contract upgrades, and real-time anomaly detection systems. Some protocols have begun adopting threshold signatures and time-locked governance mechanisms to reduce the risk of unilateral exploitation, though adoption remains uneven across the sector.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has previously sanctioned multiple cryptocurrency mixers and wallets tied to Lazarus Group, including Blender.io and Sinbad.io, in efforts to disrupt the laundering pipeline. However, attackers have adapted by using newer, non-sanctioned services and chain-hopping techniques that obscure transaction trails across multiple blockchains.

As of April 20, 2026, neither the Drift nor Kelp platforms have announced plans to reimburse users, and legal recourse remains limited due to the jurisdictional challenges of pursuing state-sponsored cybercriminals operating beyond extradition treaties. Industry observers warn that without coordinated international action to sanction enabling infrastructure and improve baseline security in DeFi, similar campaigns are likely to continue, posing a systemic risk to the broader digital asset economy.