Lazarus Group Behind Record $635M Crypto Theft in April 2026

The month of April 2026 saw the highest ever recorded number of cryptocurrency breaches, pushing total losses to a new peak. Analysts linked the surge to increased activity by North Korean state‑sponsored hackers, who have historically used cyber theft to fund regime programs. The attacks coincided with growing market anxiety over Ethereum’s price outlook and heightened interest in advanced AI models for defense.

- Twenty‑nine distinct hacks were reported, the most in a single month. - Combined losses exceeded $635 million; the Drift Protocol exploit accounted for roughly $340 million and the KelpDAO exploit for about $200 million. - Attribution analysis by blockchain forensic firms tied ~95 % of the April incidents to the Lazarus Group. - The Drift Protocol breach exploited a reentrancy flaw in its token‑swap contract, allowing attackers to drain funds repeatedly. - The KelpDAO incident used a flash‑loan maneuver that manipulated oracle prices to siphon assets from lending pools. - Both attacks followed a pattern of initial spear‑phishing to obtain developer credentials, then deployment of malicious contract updates (MITRE ATT&CK T1195.002, T1059.007).

The scale of the theft underscores the vulnerability of decentralized finance protocols to sophisticated, state‑backed adversaries. For projects, it highlights the need for rigorous smart‑contract audits, continuous monitoring, and robust access controls. For the broader crypto market, the incident may depress confidence in Ethereum‑based assets and spur regulatory scrutiny of cross‑border cyber‑crime financing.

- Apply the latest security patches for Drift Protocol and KelpDAO contracts; monitor official advisories for any updates. - Deploy runtime protection that flags reentrancy calls and anomalous flash‑loan transactions (e.g., using tools that detect MITRE technique T1059.004). - Enforce multi‑signature approvals for contract upgrades and restrict private‑key exposure via hardware security modules. - Implement network‑level detection for known Lazarus Group infrastructure (IP ranges, domains) and share indicators via ISACs. - Conduct regular phishing simulations and enforce MFA for all developer and admin accounts.