North Korea Infiltrated Ethereum And Stole Millions!

TL;DR

North Korea's Lazarus Group stole $577 million in 18 days by embedding operatives as trusted developers inside DeFi protocols, exploiting human trust rather than code.

Key Points

• 1.The Ketman Project uncovered ~100 North Korean IT workers inside 53 crypto companies. The Ethereum Foundation's six-month investigation found operatives reporting to work, writing code, attending standups, and accumulating signing authority — not hacking from outside.
• 2.The Drift Protocol hack stole $285 million in 12 minutes on April 1, 2026. Lazarus Group operatives posed as a quant trading firm for months, deposited $1M of real capital, then socially engineered two multi-sig signers into pre-authorizing durable nonce transactions that drained the vault.
• 3.Kelp DAO lost $292 million just 17 days later via an entirely different vector. Attackers replaced software binaries on two LayerZero RPC nodes, DDoS'd the honest nodes, then submitted a forged cross-chain message releasing 116,500 rsETH without any corresponding burn on the source chain.
• 4.Zach XBT independently found 390 DPRK-linked developer accounts earning ~$1 million per month. Chain analysis confirmed these IT workers provide insider access that elite Lazarus hackers then convert into nine-figure drains, making the 100 identified operatives likely a fraction of the true total.
• 5.North Korean crypto theft funds an estimated 45% of the regime's ballistic missile program. The UN Panel of Experts directly linked these DeFi drains to weapons development, while laundering runs through Tornado Cash, Circle's CCTP, Aave, Compound, and THORChain.
• 6.The Arbitrum Security Council froze ~$71M of stolen ETH, exposing crypto's core contradiction. Every proposed fix — mandatory KYC, multi-jurisdictional signers, time locks — closes the North Korean attack surface but simultaneously dismantles the permissionless, pseudonymous ethos that defines DeFi.