What happened in the Drift and Kelp DeFi hacks?

North Korea-linked hackers stole over $500 million from the Drift trading platform and the Kelp restaking protocol within just over two weeks. The attacks are now seen as part of a coordinated campaign rather than isolated incidents. This marks one of the largest recent exploit streaks in DeFi.

Why are North Korea-linked hackers targeting DeFi platforms?

The attacks appear financially motivated, likely tied to funding needs under international sanctions. Instead of targeting exchanges, hackers are now focusing on DeFi infrastructure where large amounts of capital move across systems. This shift makes attacks harder to detect and potentially more scalable.

How was the Kelp protocol exploit different from typical crypto hacks?

The Kelp exploit did not break encryption or steal private keys but instead manipulated trusted data inputs. The system verified who sent the message but not whether the data was accurate. This highlights a structural weakness rather than a technical bug.

What is a “single verifier” and why did it matter in the Kelp exploit?

A single verifier is one entity responsible for approving cross-chain transactions. Kelp relied on this setup, which removed redundancy and made it easier for attackers to compromise the system. Using multiple verifiers would have added an extra security layer, similar to multi-signature approvals.

Why does this DeFi attack matter for retail crypto investors?

This incident shows that even “secure” DeFi systems can fail due to design choices, not just coding errors. Investors using protocols like lending platforms or restaking services may face indirect exposure to these risks. Losses can spread across multiple platforms due to interconnected assets.

How could this impact DeFi token prices in the short term?

This type of exploit typically increases fear and uncertainty, which can pressure DeFi token prices in the short term. Tokens linked to affected ecosystems or similar infrastructure may see sell-offs. However, the impact varies depending on how quickly projects respond and restore confidence.

What are the main risks in DeFi highlighted by this attack?

The key risk is systemic design weakness, especially in cross-chain and restaking infrastructure. Even if smart contracts are secure, poor configuration (like single verifiers) can create critical vulnerabilities. Interconnected protocols also mean one failure can cascade across the ecosystem.

What are the bull and bear cases for DeFi after this news?

Bull case: incidents like this could push the industry to adopt stronger security standards, improving long-term resilience. Bear case: repeated exploits may reduce user trust and slow capital inflows into DeFi. This is an opinion-based scenario and not guaranteed.

North Korea hackers escalate $500M DeFi attacks

Written by Heidi Cuthbert Published Apr. 21 2026Last Updated Apr. 25 2026

North Korea-linked hackers have escalated attacks on decentralised finance, siphoning more than $500 million from the Drift and Kelp exploits within just over two weeks.

What initially appeared to be isolated breaches now points to a coordinated and sustained campaign, with attackers increasingly targeting structural weaknesses in crypto infrastructure rather than relying solely on social engineering.

The Kelp exploit in particular highlights a strategic evolution in tactics, suggesting a state-driven effort to exploit systemic vulnerabilities embedded in cross-chain and restaking protocols.

“This is not a series of incidents; it is a cadence,”

Said ENS Labs chief information security officer and general counsel, Alexander Urbelis.

The breach did not involve breaking encryption but instead manipulated trusted data inputs, exposing how systems that verify message origin without validating truth can be exploited at scale.

“The security failure is simple: a signed lie is still a lie,”

Urbelis said, adding that signatures confirm authorship but not accuracy.

Security experts said Kelp’s reliance on a single verifier removed a critical safeguard, allowing attackers to approve fraudulent transactions and trigger cascading losses across interconnected platforms such as lending protocols.