TraderTraitor Linked to $578M in April DeFi Hacks

Investigators and blockchain analysts linked TraderTraitor, a subgroup of North Korea’s state-backed Lazarus Group, to $578 million in decentralized finance thefts that occurred in April, following a $292 million exploit of Kelp DAO.

Kelp DAO disclosed the breach occurred on Saturday and traced it to a failure in cross-chain messaging managed by LayerZero. LayerZero attributed the exploit to Kelp DAO’s use of a single verifier to approve cross-chain messages, noting preliminary indicators point to TraderTraitor. Blockchain investigator Tanuki42 reported wallet links between the Kelp DAO theft and prior incidents tied to the same actors.

The Kelp DAO loss followed an April 1 attack on the decentralized exchange Drift that removed about $285 million. Combined, the two incidents total at least $578 million in stolen funds. Tanuki42 reported that some funds from Kelp DAO have been mixed with wallets connected to a $1.4 billion Bybit exploit from February 2025.

Responders moved to limit further losses after the Kelp DAO attack. The Arbitrum Security Council froze 30,766 ETH tied to the incident. Ledger chief technology officer Charles Guillemet described the freeze as probably the right outcome while noting discomfort over using governance authority to block assets. USDC issuer Circle faced criticism for not acting after the Drift exploit.

Security researchers noted the Kelp DAO attack did not rely on a new smart-contract bug but exploited weak configurations and supporting infrastructure in cross-chain systems. At Drift, attackers had reportedly approached contributors in person at a crypto conference posing as staff from a quant trading firm and continued building trust before breaching the platform.

Targets have included companies and individual users. Firms documented cases where operatives secured remote IT jobs using falsified identities to gain access and commit fraud. Crypto wallet provider Zerion reported that North Korea-linked actors used AI-assisted social engineering to steal about $100,000 in a separate incident. In March 2025, the U.S. Treasury sanctioned six people and two entities for roles in IT worker fraud, and the FBI advised employers to verify candidates’ histories and require in-person meetings when feasible.

Law enforcement has prosecuted facilitators connected to these schemes. In August 2024, a suspect was arrested on charges of running a laptop farm that let foreign workers appear as U.S.-based hires using stolen identities. In July 2025, a defendant received a prison sentence for helping North Korean IT workers earn more than $17 million through fraud.

The FBI’s Internet Crime Complaint Center reported a 21 percent increase in crypto-related complaints in 2025, with 181,565 complaints and $11.37 billion in losses. Older investors filed the largest share of crypto-related investment complaints.

LayerZero, Kelp DAO and other parties are continuing investigations while communities and responders track stolen funds and recovery efforts.