North Korea-linked hackers keep broadening their crypto playbook — and DeFi is paying the price.
In the space of a little over two weeks, attackers tied to North Korea (widely linked to the Lazarus Group) siphoned more than $500 million in a pair of high-profile hits: a social-engineering attack on trading firm Drift, followed by a clever exploit of Kelp, a restaking protocol built on LayerZero’s cross-chain infrastructure. Taken together, security experts say, the incidents look less like isolated hacks and more like an organized, escalating campaign.
What made the Kelp attack notable wasn’t brute-force cryptography or stolen private keys. Instead, attackers manipulated the data inputs that the protocol trusted. Because Kelp’s cross-chain messaging relied on a single verifier to approve messages, the system accepted forged inputs as legitimate and executed transactions that never actually occurred. As Alexander Urbelis, CISO and general counsel at ENS Labs, put it: “A signed lie is still a lie. Signatures guarantee authorship; they do not guarantee truth.”
David Schwed, COO of blockchain security firm SVRN, echoed the point: “This attack wasn’t about breaking cryptography. It was about exploiting how the system was set up.” The core vulnerability was a configuration choice — a single verifier for cross-chain messages — which favored speed and simplicity but removed a crucial safety layer.
In the aftermath, LayerZero recommended using multiple independent verifiers (akin to requiring multiple signatures on a bank transfer). Critics argue, however, that LayerZero’s default offering included a single verifier, leaving projects exposed unless they proactively changed the configuration. “If you’ve identified a configuration as unsafe, don’t ship it as an option,” Schwed said. “Security that depends on everyone reading the docs and getting it right is not realistic.”
The consequences rippled beyond Kelp. In DeFi, assets move and are reused across many protocols; when an underlying token becomes compromised, platforms that accepted that asset as collateral — lending services such as Aave among them — can face losses. “These assets are a chain of IOUs,” Schwed said. “And the chain is only as strong as the controls on each link.”
Experts see a pattern: attackers are increasingly targeting the crypto “plumbing” — cross-chain bridges, restaking systems, oracles, and other infrastructure layers that sit under more visible applications. These components are complex, hold concentrated value, and are often harder to monitor, making them lucrative targets for the Lazarus Group and similar actors. Urbelis warned that decentralization isn’t an automatic safety net: “Decentralization is not a property a system has. It is a series of choices. And the stack is only as strong as its most centralized layer.” Schwed added bluntly, “A single verifier is not decentralized. It’s a centralized decentralized verifier.”
The broader takeaway for the industry: many recent exploits aren’t novel technical breakthroughs — they’re exploiting known weaknesses, misconfigurations, and assumptions built into systems. As attackers evolve to exploit the less-visible layers of crypto infrastructure, treating security as optional or merely recommended is no longer viable. Projects need to bake safer default configurations, require multi-party validation where appropriate, and assume that the most dangerous attacks will target the weakest link in the stack.
The Drift and Kelp incidents make one thing clear: this is not a string of random incidents — it’s a cadence. And unless both protocol designers and infrastructure providers treat secure defaults as mandatory, the next exploit could be even costlier.
Read more AI-generated news on: undefined/news
