North Korea-linked groups, AI drive $1B+ in DeFi thefts

DeFi protocols lost more than $1 billion to hacks from January through May 2026, with April accounting for over $600 million in thefts. The largest single incidents were a $292 million drain from KelpDAO and a $285 million breach at Drift.

Security firm data shows actors linked to North Korea were responsible for about 76% of global crypto hack losses through April 2026, up from roughly 64% in 2025 and under 10% in 2020. Analysts attribute the shift to increasingly sophisticated operations that combine technical tools with extended social-engineering campaigns.

Postmortem reports say the KelpDAO exploit began in early March when a developer was socially engineered and session keys were captured. Investigators attribute that April 18 attack to a DPRK-linked actor known as TraderTraitor or UNC4899. The attackers used the harvested access to drain approximately 116,500 rsETH from a cross-chain bridge.

Drift Protocol reported that its $285 million loss followed a six-month intelligence operation. The protocol said the operation involved fabricated professional identities, in-person meetings and malicious developer tools used to compromise contributors before the drain.

On-chain security specialists have identified recurring technical failure modes behind several major incidents. Privileged access control breakdowns, malicious proxy contract upgrades that replace implementations with backdoored versions, and gaps in cross-chain message verification have appeared across multiple large losses. Raz Niv, co-founder and CTO at Blockaid, pointed to those three patterns as common vectors.

Security researchers say AI tools are accelerating exploit discovery. Current models can run large-scale reconnaissance and quickly flag known vulnerability patterns, allowing human operators to focus on exploitation and social engineering. A senior investigator at a blockchain security firm reported an increase in attacks against older and unverified contracts, consistent with automated scanning finding previously overlooked weak points.

The KelpDAO breach prompted about $6.2 billion in withdrawals from a major lending protocol before a coordinated relief effort led by Aave founder Stani Kulechov raised 132,650 ETH, roughly $303 million, to cover bad debt. Other recent victims include TrustedVolumes, Echo Protocol, Step Finance, Truebit, Resolv Labs, Volo Protocol, Rhea Finance and the Verus-Ethereum bridge. THORChain paused trading in May after researchers flagged a suspected cross-chain exploit affecting more than $10 million.

Industry responses include increased public-private coordination, faster incident postmortems and deployment of AI-assisted monitoring and simulation. Investigators recommend defenders tighten privileged access controls, secure off-chain developer tools and adopt automated detection to match the speed of current reconnaissance methods.

Reports and incident updates cite both technical vulnerabilities in protocol architecture and prolonged off-chain compromise campaigns as factors in the losses. Security teams are implementing stricter access controls and AI-based detection while continuing detailed reviews of cross-chain messaging and upgrade mechanisms.