Key Takeaways:
- Lazarus Group drained 116,500 rsETH from KelpDAO on April 18.
- The Arbitrum Security Council froze roughly 30,766 ETH worth $71M linked to the KelpDAO exploiter on April 20.
- Lazarus moved $175M to new ethereum addresses after the Arbitrum freeze, with Arkham Intelligence actively tracking wallets.
North Korea’s Hacking Syndicate Launders Millions in Stolen KelpDAO ETH Through Thorchain and Umbra Cash
While the story may be different depending on which protocol dev you ask, reports say the attackers compromised two RPC nodes and deployed malware to feed false transaction data exclusively to Layerzero’s Decentralized Verifier Network while keeping feeds honest for other observers. Reports have been released by KelpDAO, Layerzero, and Llamarisk alongside Aave service providers.
The attack followed with a distributed denial-of-service attack against the remaining clean nodes, forcing KelpDAO‘s bridge to fail over to the compromised infrastructure. With the verification layer under their control, they forged a cross-chain message authorizing the withdrawal of roughly 116,500 rsETH, representing approximately 18% of KelpDAO’s total rsETH supply.
The KelpDAO theft is the second major attack attributed to Lazarus within three weeks. On April 1, approximately $285 million was taken from Drift Protocol in an operation investigators also linked to North Korea’s Lazarus. The two incidents together account for nearly $600 million in losses.
North Korean hackers reportedly stole approximately $2.02 billion in cryptocurrency across all of 2025, a 51% year-over-year increase that made it a record year for DPRK-linked theft. That figure, published by Chainalysis and South Korean media outlets, represented roughly 60% to 76% of all global service-level crypto thefts, despite the group executing 74% fewer individual incidents than in prior years. The cumulative lower-bound estimate through the end of 2025 reached approximately $6.75 billion.
The largest single theft in crypto history also belongs to Lazarus. In early 2025, the group stole approximately $1.5 billion from Bybit, a Dubai-based exchange, by compromising a software provider for Safe Wallet and manipulating developer environments to redirect a cold-to-hot wallet transfer. The FBI formally attributed that attack to North Korean Lazarus Group actors.
Before Bybit, significant attributed heists included roughly $620 million from the Ronin Network bridge in 2022, $308 million from DMM Bitcoin in 2024, and $234.9 million from Indian exchange WazirX in 2024. The DPRK-linked group has also targeted smaller platforms, individual wallets, and crypto-adjacent software supply chains.
Lazarus typically spends months in preparation before executing a theft. Attackers use fake recruiter outreach, Github-hosted malware, and spear-phishing to gain initial access. Once inside developer or validator environments, they harvest private keys, compromise hot wallets, or manipulate bridge infrastructure.
After exfiltrating funds, the group launders assets through chain-hopping, decentralized exchange ( DEX) swaps, and dispersion across thousands of addresses. Some proceeds are allegedly routed through services such as Huione Pay before ultimately being converted into bitcoin or other assets that can support the DPRK regime.
The U.S. Department of Justice indicted North Korean national Park Jin Hyok in connection with earlier Lazarus operations. The Treasury Department’s Office of Foreign Assets Control has sanctioned dozens of addresses, and the FBI has issued public advisories with onchain identifiers for exchanges and validators to block.
Despite those measures, Lazarus has continued to adapt. The group’s infrastructure poisoning techniques, including the RPC node compromise used in the KelpDAO attack, reflect a shift toward targeting the plumbing beneath decentralized finance (DeFi) protocols rather than front-end interfaces or individual user credentials.
Crypto bridge security remains a central vulnerability. The Ronin, Harmony Horizon, and now KelpDAO breaches all involved manipulation of cross-chain verification systems. Security researchers have pointed to multi-signature requirements, independent RPC node auditing, and real-time behavioral monitoring as the most direct mitigations.
North Korea is estimated to derive a significant share of hard currency from these operations in an economy constrained by international sanctions, with some analyses placing crypto theft proceeds at roughly 13% of GDP. Stolen funds are believed to support the country’s nuclear and ballistic missile programs alongside other state functions.