Lazarus Group Behind $635M Crypto Theft in April 2026

In early April, security researchers flagged unusual outflows from the Drift Protocol’s liquidity pools. Investigators traced the activity to a series of transactions that exploited a flaw in the protocol’s smart‑contract validation logic. A second incident, affecting KelpDAO, emerged two weeks later and involved unauthorized token approvals that allowed rapid asset drainage.

The month recorded 29 distinct crypto security breaches, surpassing any previous monthly count. Combined losses exceeded $635 million, with the Drift and KelpDAO events responsible for the bulk of the amount. Attribution analysis linked roughly 95 % of these incidents to the Lazarus Group, North Korea’s state‑sponsored hacking unit.

The attacks demonstrate how threat actors combine traditional social engineering with automated scripts to move large sums quickly. Observed tactics included credential harvesting via phishing, followed by the execution of pre‑written drainer scripts that interacted with vulnerable contracts. These methods align with MITRE ATT&CK techniques T1566 (Phishing) and T1059 (Command‑and‑Scripting Interpreter). The financial proceeds are believed to support Pyongyang’s weapons programs, underscoring the national‑security dimension of crypto theft.