In just under three weeks, cyber operatives linked to the Democratic People’s Republic of Korea (DPRK) have stolen more than $500 million from crypto DeFi platforms. This marks a drastic escalation in Pyongyang’s state-sponsored campaign to bankroll its weapons programs through cryptocurrency theft. Drift and KelpDAO drive North Korea's over $500 million DeFi exploits Notably, […]
The post North Korea hit crypto for $500M+ this month — and the $6.75 billion threat is not over yet appeared first on CryptoSlate.
LayerZero is facing heavy criticism for its response to the recent $290 million KelpDAO exploit after the omnichain interoperability protocol blamed Kelp’s 1-of-1 verifier configuration for the incident. Related Reading: Bitcoin’s Decentralization Narrative Under Fire After Epstein Files Claims LayerZero Blames KelpDAO For $290M Exploit Over the weekend, liquid restaking protocol KelpDAO was the victim of an attack that drained over $290 million in rsETH from the project after malicious actors exploited a weakness in the protocol’s LayerZero-powered bridge. Two days later, LayerZero addressed the incident, which became the largest DeFi hack of 2026, just weeks after Drift Protocol’s $285 million exploit shocked the industry. LayerZero attributed the “highly sophisticated attack” to North Korea’s Lazarus Group, claiming that it was a crypto infrastructure attack rather than a protocol exploit, and affirming that “there is zero contagion to any other cross-chain assets or applications.” They explained that the protocol is built on a “foundation of modular, application-configurable security,” using Decentralized Verifier Networks (DVNs), independent entities responsible for verifying the integrity of cross-chain messages. The malicious actors allegedly poisoned downstream RPC infrastructure by “compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions.” Per the post, the attackers swapped binaries for a custom payload to forge messages and used DDoS attacks to force failover to the poisoned nodes, triggering the DVN into confirming fake transactions. Based on this, LayerZero placed responsibility on KelpDAO for using a 1-of-1 verifier configuration instead of the multi-DVN recommendations: “This incident was isolated entirely to KelpDAO’s rsETH configuration as a direct consequence of their single-DVN setup.” Crypto Community Criticizes ‘Lack Of Accountability’ The crypto community reacted to the post-mortem, sharing its concerns about LayerZero’s response and criticizing the protocol for placing all responsibility only on Kelp’s security setup. “Imagine building a bridge and vehicles pays to cross, the bridge collapsed and you said it’s their fault for crossing the bridge. A classic clownery act from Bunch of clowns with zero accountability,” X user Saint wrote. Others questioned why LayerZero included a “1-of-1” configuration if the purpose of a DVN is customizable/modular security. “If the system allows this option, it’s not the fault of the customer who chose it—it’s a fundamental design flaw by the system that permitted it,” user Ditto wrote. “At the end of the day, the fact remains that the DVN RPC was compromised. DVN is a LayerZero product, and they are the ones who sold it to these teams,” he continued. Similarly, Chainlink community manager Zach Rynes accused the protocol of deflecting responsibility for the compromise of their own DVN node. He also criticized them for “throwing KelpDAO under the bus” for trusting LayerZero Labs’ setup that they “willingly support and only blocked after getting hacked, all while claiming everything worked as designed.” Meanwhile, Yearn Finance core team developer Artem K noted on X that the attack was described as a compromise of an RPC node and RPC poisoning, but that their own infrastructure is what was compromised. “Given it doesn’t say how the breach has occurred, I wouldn’t rush re-enabling the bridges,” he added. Wrong Diagnosis, Wrong Fix? Analyst The Smart Ape also claims that LayerZero made the wrong diagnosis and offered the wrong solution. Notably, the protocol’s post-mortem suggested migrating all applications with 1-of-1 DVN configurations to multi-DVN setups to prevent similar attacks. However, the analyst pointed out that multi-verifiers won’t stop the next multi-million-dollar attack, asserting that they could fail as all DVNs read chain states from the same handful of RPC providers, which are mostly clustered on AWS or GCP. If five “independent” DVNs read from the same three RPC providers, an attacker who poisons those three RPCs will poison all five verifiers simultaneously. “If all your verifiers get fooled in the same way at the same time, the math collapses back to 1-of-1. Five clones are not five witnesses,” he added. Related Reading: Remember Arbitrum? This Analyst Just Predicted That A 7,400% Rally Is Coming To solve this, the analyst suggested that every verifier runs its own full node on different client software, hosted on different cloud providers, maintained by different ops teams, peered with different subsets of the Ethereum network. “The fix isn’t multi-anything. The fix is that verifiers should attest to their own substrate, not just to chain state. until you can audit a DVN’s upstream topology, which RPC providers, which client software, which clouds, which regions, ‘M-of-N secured’ is marketing copy for a property that hasn’t actually been built. Lazarus didn’t break cryptography on April 18. They broke three servers,” he concluded. Featured Image from Unsplash.com, Chart from TradingView.com
Amidst yet another big hack attributed to North Korea-linked operatives, some crypto builders have confessed they are passing tests during interviews to developers to make sure they are not North Korean agents. The Fool-Proof “Kim Jong‑Un Test” For Crypto Developers Once again, the Democratic People’s Republic of Korea (DPRK) is responsible for some action movie-sounding moves. Following the attribution of the April 1st $285 million attack on Drift Protocol to UNC4736, a North Korea–aligned, state‑sponsored hacking group, multiple crypto industry actors have taken to the social network X to share their fears and methods to combat what essentially are DPRK secret agents. All details on the long‑term social engineering, fake professional personas, in‑person conference meetings and compromised tooling employed in the attack can be consulted on a yesterday’s article in our sister’s website Bitcoinist. Unbelievable and hilarious as it may sound, the most straightforward strategy some of these builders have found is asking candidates to explicitly insult Kim Jong-Un, North Korea’s regime head, during interviews. Related Reading: This Bitcoin Trader Lost Millions In 2 Weeks, Here’s How Crypto Builders Share Proof Yesterday, Tanuki42, an independent blockchain security investigator, shared an actual video of a “North Korean IT worker being stopped dead in their tracks upon being required to insult Kim Jong Un”. In the video, “Taro Aikuchi” wasn’t just unable to repeat after the interviewer that “Kim Jong-Un is a fat, ugly pig”: he was taken aback and visibly nervous. Here is a video of a North Korean IT worker being stopped dead in their tracks upon being required to insult Kim Jong Un. It won’t work forever, but right now it’s genuinely an effective filter. I’m yet to come across one who can say it. https://t.co/8FFVPxNm8X pic.twitter.com/KXI5efMo5L — tanuki42 (@tanuki42_) April 6, 2026 In a different video shared by the security investigator, “Taro” tells him amusingly that he “knows North Korea well”, but then experiences very convenient connection issues when is asked to say “Fuck Kim Jong-Un”. The clip I posted was actually round 2. Here’s round 1 – I tell Taro I’m a North Korea security researcher, he tells me he “knows North Korea well”. Mysterious connection issues when I say “Fuck Kim Jong Un”, which he apologises for on reconnecting.???? pic.twitter.com/M89KDDmASW — tanuki42 (@tanuki42_) April 6, 2026 Later on the thread, Tanuki42 showed the candidate changed his Telegram handle, wiped their chat and blocked him after the interview. ????@taroaikuchi just changed his Telegram handle @cryptotrading2150->@cryptodegen202 – he’d already wiped our chat and blocked me ???? pic.twitter.com/EcQedYyGG7 — tanuki42 (@tanuki42_) April 6, 2026 His X account and LinkedIn page also disappeared. Crypto investor and fund manager Jason Choi quoted Tanuki42’s thread to echo the message, claiming that a lot of crypto founders have shared with him that this test works. Several founders in crypto have told me they ran this test and it genuinely worked https://t.co/DIZHoZDZ0l — Jason Choi (@mrjasonchoi) April 6, 2026 Crypto founder and RWA‑focused builder Pav replied to Choi saying that he has been using the tactic 2024, after he found out he was interviewing a DPRK agent for an engineering position in 2022. have been using this since 2024 and works like a charm https://t.co/nYWYIGxrAA — Parv (@Parv_EP) April 6, 2026 Simon Wijckmans, another cybersecurity founder and product leader, also replied to Choi sharing a clip from one of his own interviews with a candidate, “William Nation”, who failed to say that Kim Jong-Un is a dictator after Wijckmans requested him to do it Yep pic.twitter.com/Aht731yvRc — Simon (@SimonWijckmans) April 6, 2026 Some Crypto Builders Remain Sceptic Despite the overwhelming evidence, the wackiness of the story still finds flabbergasted nonbelievers. On a different thread from a few days ago, Paolo Caversaccio, a Switzerland‑based engineer and entrepreneur focused on cryptography, privacy and security, shared one of his attempts to employ the same Kim Jong-Un insult tactic to make sure he is not working with North Korean spies. going forward I will request from every external contributor to my repos a nice Kim Jong Un insult; it’s an easy but powerful way to prevent DPRK dev code (and some of them are really good) to be merged (they will never ever get the approval to do this). this guy passed it… pic.twitter.com/Ms86or5GiP — sudo rm -rf –no-preserve-root / (@pcaversaccio) April 4, 2026 He then entered an argument with long‑time Ethereum ecosystem developer and founder Micah Zoltu regarding the actual effectiveness of the technique. But Caversaccio’s argument was compelling: he has been dealing with DPRK IT workers for more than three years. After dealing for more than 3 years with DPRK IT workers I can confidently claim this filter is very strong. We will probably release some DPRK interviews publicly at some and will link it here, they always fail with this question. You probably think my filter is some random… — sudo rm -rf –no-preserve-root / (@pcaversaccio) April 5, 2026 Market Implications Related Reading: Crypto Tokenization Boom Or Time Bomb? Four Hidden Risks Wall Street Is Ignoring The real deal for traders right now isn’t guessing the next meme, but identifying which teams can defend against nation‑state attackers. For a while now, crypto has been entering a phase where geopolitics, state‑sponsored cyber ops, and HR compliance are as important as code audits. North Korean infiltration risk is now a structural factor for the industry. Considering this, traders should remember that protocols with weak contributor vetting, opaque multisigs, or ad‑hoc governance present elevated tail‑risk that markets will increasingly price in. It is also advisable to look for projects that can prove stronger operational security, incident response and KYC for critical roles may enjoy relatively stronger valuations and more sticky TVL. At the moment of writing, BTC trades for around $68k on the daily chart. Source: BTCUSDT on Tradingview. Cover image from Perplexity. BTCUSDT chart from Tradingview.
The US Treasury (OFAC) has sanctioned six individuals and two entities tied to the Democratic People’s Republic of Korea (DPRK) IT‑worker schemes that allegedly generated nearly $800 million in 2024. US Vs. DPRK Over Crypto Fraud Crypto is once again at the center of Washington’s latest sanctions push. On an official press release on March 12, the US Treasury announced that they have blacklisted a North Korean IT‑worker network accused of routing nearly $800 million through digital assets to fund weapons programs in 2024. The Secretary of the Treasury Scott Bessent, quoted on the announcement, warned that “The North Korean regime targets American companies through deceptive schemes carried out by its overseas IT operatives, who weaponize sensitive data and extort businesses for substantial payments”. Related Reading: Binance Warning? Leverage Explodes As Crypto Tracks A World On Edge How The North Korean Crypto Scheme Worked According to the OFAC’s statement, these North Korean IT networks relied on front companies in Vietnam, Laos and Spain to move IT‑worker revenue into cryptocurrency, convert it, and route funds back to Pyongyang. As the statement claims: DPRK-facilitated IT teams commonly rely on fraudulent documentation, stolen identities, and fabricated personas to conceal their true identities and gain employment with legitimate companies, including those in the United States and allied countries. The DPRK government reportedly appropriates the majority of the wages earned by these overseas IT workers, generating hundreds of millions of dollars to support the regime’s WMD and ballistic missile programs, in violation of U.S. and United Nations sanctions. In certain instances, DPRK-affiliated workers have also covertly introduced malware into company networks to extract proprietary and sensitive information. Amongst the companies signaled by Washington are Amnokgang Technology Development Company, that manages overseas DPRK IT delegations and other illicit procurement and Vietnam‑based partner (Quangvietdnbg) whose CEO converted around $2.5 million into crypto for North Koreans between mid‑2023 and mid‑2025, with $800 million in 2024 alone. Other facilitators opened bank accounts, enabled crypto transactions, and laundered IT‑worker proceeds on behalf of North Korean procurement figures, like Kim Se Un. The OFAC warns that both US and foreign financial institutions face secondary‑sanctions risk if they keep touching flows linked to the newly designated actors, which effectively isolates their remaining fiat and crypto on‑ramps. Related Reading: Hyperliquid Rockets as Oil Touches $100: Arthur Hayes Reveals Why What This Means For The Crypto Market This is but the newest chapter on a long saga of North Korean cyber and IT operations repeatedly leaning on crypto, mixers and OTC brokers to launder billions in stolen or fraudulently earned funds, which regulators now say directly supports its weapons programs. Even as Treasury has recently acknowledged that mixers and privacy tools can have legitimate uses, the new designations show that they are still ready to aggressively sanction any intermediaries that route significant illicit crypto flows for state actors like the DPRK. Despite episodes like this usually not moving Bitcoin’s price on their own, they do add to the regulatory overhang that can cap risk appetite around privacy coins, mixer‑adjacent protocols and lightly regulated offshore venues. For majors like BTC and ETH, stricter enforcement against DPRK‑linked networks tends to be framed as “cleaning up the rails,” which can support institutional adoption over time even if it generates headline risk in the near term. The regulatory tail risk remains highest around privacy‑focused tools, offshore venues and tokens that depend on opaque liquidity paths. At the same time, every DPRK‑linked enforcement wave nudges more volume toward KYC’d exchanges and transparent stablecoin and BTC pairs, which is where long‑term liquidity and institutional flows are likely to concentrate. BTC’s price trends to the upside on the daily chart. Source: BTCUSD on Tradingview Cover image from Perplexity, BTCUSD chart from Tradingview
The Treasury Department said North Korea infiltrated IT workers into U.S. businesses and channeled their wages back to the country to fund weapons of mass destruction programs.
Russia, Iran and North Korea expanded their use of stablecoins, hacked funds and state-linked exchanges to move more than $100 billion onchain to evade international sanctions.
North Korea-linked hackers drove a record year for crypto thefts, favoring rare but massive attacks on centralized services, led by Bybit’s $1.4 billion breach.
The crypto industry’s most notorious hackers continue to break records, highlighting the importance of taking every step possible to secure wallets.
North Korean operatives were caught on camera, live, after security researchers lured them into a booby-trapped “developer laptop,” capturing how the Lazarus-linked crew tried to blend into a US crypto job pipeline using legitimate AI hiring tools and cloud services. The evolution in state-sponsored cybercrime was reportedly captured in real time by researchers at BCA […]
The post Secret footage from a rigged laptop exposes how North Korean spies are slipping past your security team appeared first on CryptoSlate.
On Thursday, South Korea's largest digital asset exchange, Upbit, suspended deposits and withdrawals after detecting unusual activity in the Solana network tokens.
World Liberty Financial (WLFI) said it is reallocating funds and confirming user identities after several wallets were compromised ahead of its platform launch. Related Reading: XRP Supply Shock Ahead? ETFs Could Consume It All, Analyst Predicts According to WLFI’s post on X, the company froze the affected addresses in September and has been verifying ownership before moving assets back to users who pass the checks. Wallet Breaches And Response Reports have disclosed that the breaches came from either phishing attacks or exposed seed phrases, not from WLFI’s own platform or smart contracts, the company said. WLFI described the problem as linked to third-party security failures and said only a “small subset” of users were hit — though it did not give exact figures on how many accounts or how much crypto was involved. 1/ Prior to WLFI’s launch, a relatively small subset of user wallets were compromised via phishing attacks or exposed seed phrases. Since then, we’ve tested new smart contract logic to safely reallocate user funds and verified users’ identity via KYC checks. Shortly, users who… — WLFI (@worldlibertyfi) November 19, 2025 On-chain data cited by analyst Emmett Gallic of Arkham shows WLFI executed an emergency action that burned 166.67 million WLFI tokens, a move valued at $22.14 million from a compromised address, and then shifted tokens to a recovery address. That firewall step appears intended to limit further loss while the company sorts ownership questions. World Liberty Fi executed an emergency function burning 166.667M $WLFI ($22.14M) from compromised address, reallocating to a recovery address. Function designed for two scenarios: An investor loses wallet access before vesting OR malicious account acquires WLFI via exploit pic.twitter.com/VSUDWhDPCR — Emmett Gallic (@emmettgallic) November 19, 2025 Regulatory Spotlight Grows The timing of the security disclosure has drawn extra attention. Based on reports, Senators Elizabeth Warren and Jack Reed asked the DOJ and Treasury to review alleged WLFI token sales tied to sanctioned parties. Their letter referenced a watchdog report from Accountable.US that linked transactions to the Lazarus Group — a North Korea-linked actor on sanctions lists — and to an Iranian crypto exchange. It remains unclear whether the wallet compromises are related to the transactions lawmakers flagged. Experts Question On-Chain Findings Security researchers have pushed back on some of the watchdog’s claims. Taylor Moynahan of MetaMask and Nick Bax of Ump.eth said the Accountable.US analysis misread certain on-chain activity. Another day in crypto with wild allegations. Today, it’s that a North Korea-linked address invested in WLFI. I do a some DPRK crypto research myself, so I decided to take a look at their findings. They’re bad and an innocent user is out $100k because of it???? pic.twitter.com/yJKEH04nup — Nick Bax.eth (@bax1337) November 18, 2025 Related Reading: With 42% Of XRP Holders Underwater, Analysts Say The Altcoin Could Crash Even Further Bax argued that the report mistakenly connected a wallet tied to an individual known as “Shryder” with DPRK-linked activity, which led to the freezing of roughly $95,000 in WLFI tokens. WLFI has responded by emphasizing user protection and compliance. The company said it prioritized freezing vulnerable wallets and verifying rightful owners before any transfers. It also announced tests of revised smart contract logic meant to reduce the chance of similar breaches in future rollouts. Featured image from Gemini, chart from TradingView
U.S. authorities secured several criminal convictions and gathered another $15 million in proceeds from North Korean crypto heists, the Justice Department said.
The Treasury Department sanctioned eight individuals and two entities accused of using crypto and shell companies to funnel millions into Pyongyang’s weapons programs.
Mysten Labs’ chief cryptographer warns that artificial intelligence, not quantum computing, poses the real near-term threat to blockchain security.
North Korea’s crypto theft spree has already hit a record $2 billion in 2025, nearly triple last year’s total.
Japanese mining pool operator SBI Crypto has suffered a $21 million theft in a breach that investigators are linking to North Korea attackers. On Oct. 1, blockchain researcher ZachXBT identified unusual outflows from the firm involving Bitcoin, Ethereum, Litecoin, Dogecoin, and Bitcoin Cash. According to his findings, the funds moved quickly through five instant exchanges […]
The post Top Bitcoin mining pool SBI Crypto hacked, $21 million stolen appeared first on CryptoSlate.
SBI Crypto, a subsidiary of Japan’s SBI Group, has reportedly suffered a $21 million exploit with blockchain sleuths pointing to possible ties with North Korean hackers.
If the DeFi industry doesn’t adopt the security tools we've already built, then we will watch institutional capital deploy elsewhere while hackers fund their operations with our losses, writes Immunefi’s Mitchell Amador.
Learn how a North Korean group used 31 fake identities to infiltrate crypto firms and steal $680,000 from Favrr. Inside their tools, tactics and deception.
US Representative David Schweikert has introduced legislation granting the President authority to act against crypto criminals operating abroad. The bill, filed as House Resolution (H.R. 4988), invokes the rarely used concept of “letters of marque and reprisal,” which is a legal instrument dating back to maritime warfare. Historically, such letters authorized privateers to attack and […]
The post US proposes revival of 18th century law so Trump can deputize private citizens to fight crypto scammers appeared first on CryptoSlate.
The $44 million exploit targeting India-based crypto exchange CoinDCX has been linked to North Korea’s Lazarus Group, according to blockchain security firm Cyvers. In a July 21 statement shared with CryptoSlate, Cyvers CEO Deddy Lavid said the attackers followed a pattern reminiscent of previous Lazarus operations. The tactics included using cross-chain bridges and Tornado Cash […]
The post CoinDCX offers $11 million bounty after Lazarus Group-linked $44 million heist appeared first on CryptoSlate.
The U.S. Treasury Department added the employee of a North Korean hacking group to its blacklist over his role in getting IT workers jobs in other countries.
An on-chain investigation has revealed that North Korea IT workers posing as foreign developers have earned nearly $17 million from crypto startups and blockchain companies this year. The findings, revealed by prominent blockchain investigator ZachXBT, show that these individuals have successfully integrated into dozens of crypto projects by concealing their identities and locations. According to […]
The post North Korean IT workers earned $17M this year with some funds coming from Circle accounts appeared first on CryptoSlate.
North Korea-linked attacks have resulted in over $1.6 billion in losses, a TRM Labs report released Friday said.
The first half of 2025 exposed deep vulnerabilities in the crypto industry, with hackers stealing over $2.1 billion across 75 separate incidents. This marks a 10% increase from the previous H1 record of $2 billion in 2022 and nearly matches the full-year figure for 2024, which closed at $2.2 billion, according to a report from […]
The post Crypto heists reach $2.1B so far in 2025 as state-backed hackers ramp up attacks appeared first on CryptoSlate.
A DPRK-linked group is using fake job sites and Python malware to infiltrate Windows systems of blockchain professionals — with credential theft and remote access as the endgame.
North Korea’s hackers has reportedly stolen nearly $2 billion from centralized crypto exchanges over the past year. Blockchain security researcher Tay Monahan attributes a significant portion of those funds, around $1.8 billion, to a series of major hacks targeting centralized crypto trading platforms like Bybit, DMM Bitcoin, WazirX, Phemex, and BingX. Despite setbacks such as […]
The post North Korea’s hackers could have laundered as much as $1.5 billion in stolen crypto appeared first on CryptoSlate.
An ex-FBI agent who led landmark crypto investigations is joining TRM Labs’ team.
Kraken started 2025 on a high note, reporting a 19% increase in revenue year-over-year to $472 million for the first quarter. The May 1 earnings statement also highlighted a 1% quarter-over-quarter rise in adjusted EBITDA, reaching $187 million. Meanwhile, the company’s performance indicators showed similar momentum. The firm noted that its total trading volume rose […]
The post Kraken achieves revenue boost in Q1 2025 but faces North Korean hacking scare appeared first on CryptoSlate.
The US Treasury’s Financial Crimes Enforcement Network (FinCEN) has proposed banning Cambodia’s Huione Group from accessing the American financial system, according to a May 1 statement. If approved, the proposed rule would prohibit US financial institutions from opening or maintaining accounts for Huione Group or any of its subsidiaries. US authorities identified Huione Group as […]
The post US targets Huione Group in crackdown on $4 billion crypto laundering network appeared first on CryptoSlate.