In April 2026, North Korea stole $577 million from cryptocurrency bridges in 17 days.

Not through some unknown exploit nobody could have anticipated. Not through a vulnerability that existed for weeks undetected. Through the same structural weaknesses that have cost this industry more than $2.8 billion since 2021.

The attack vectors changed slightly. The outcome did not.

Two attacks. Two bridges. One state. Three weeks.

April was the worst month for crypto theft since the Bybit breach in February 2025. Total losses exceeded $625 million across 30 separate incidents. Two of those incidents accounted for 93% of the damage. This is the story of those two incidents, what connected them, and what the industry refuses to address.

The Six-Month Setup

Drift Protocol is the largest decentralized perpetual futures exchange on Solana. On April 1, 2026, it lost $285 million in 12 minutes.

The attack did not begin on April 1. It began in the fall of 2025.

North Korean operatives linked to a state-sponsored unit identified as UNC4736, also tracked under the names Citrine Sleet, Golden Chollima, and Gleaming Pisces under the broader Lazarus apparatus, spent months building relationships with Drift’s team. They attended industry conferences in person. This is documented. In-person contact between the operatives and Drift employees at crypto events has been confirmed as part of the post-mortem Drift released. They deposited over $1 million of their own capital to establish themselves as legitimate ecosystem participants. They submitted a formal Ecosystem Vault application. They asked detailed, technically credible product questions through February and March 2026.

Drift described it afterward as a coordinated and structured intelligence operation. CrowdStrike, which had assessed UNC4736 in January 2026, described the group as primarily geared toward cryptocurrency theft by targeting small fintech firms across the US, Canada, South Korea, India, and Western Europe. Their operational tempo, CrowdStrike noted, was consistent with ensuring baseline revenue generation for the DPRK regime.

Baseline revenue. For a regime building destroyers, nuclear-powered submarines, and reconnaissance satellites.

The technical execution arrived in March. Using a Solana feature called durable nonces, which allow transactions to be signed in advance and executed later without expiration, the attackers persuaded members of Drift’s Security Council to pre-sign transactions that appeared routine. Those transactions were not routine. They transferred administrative control of the protocol to an attacker-controlled address.

On April 1 at 16:05:18 UTC, the first pre-signed transaction executed. One second later, the second confirmed it. Full administrative control transferred in two transactions executed one second apart.

Withdrawal limits were removed. Vault permissions were overridden. Thirty-one pre-arranged withdrawals processed over the following 12 minutes. By 16:17 UTC, $285 million in JLP tokens, USDC, and other assets was gone.

Two security audits had cleared Drift. Trail of Bits in 2022. ClawSecure in February 2026, weeks before the attack. There was no bug to find. The attack did not target the code. It targeted the people running it. Chainalysis later described this as the first publicly documented instance of Lazarus-linked actors using in-person interactions as a primary attack vector.

The laundering started within hours. Stolen assets were converted to USDC and bridged from Solana to Ethereum via Circle’s own Cross-Chain Transfer Protocol. Over $232 million in USDC moved through Circle’s infrastructure across more than 100 transactions over approximately six hours, during US business hours.

Circle did not freeze a single dollar.

ZachXBT, whose track record on Circle’s intervention history I have written about previously, documented this publicly. Security researcher Specter noted the attackers deliberately routed through USDC rather than Tether, suggesting they had assessed that Circle would not act. That assessment proved correct. The regulatory architecture for centralized stablecoins is built on the assumption that issuers will act as a check on illicit flows. On April 1, that assumption cost $232 million.

The Phantom Burn

Seventeen days after Drift, the largest DeFi hack of 2026 got larger.

KelpDAO is a liquid restaking protocol. Its rsETH token represented restaked Ether deployed across more than 20 blockchains including Base, Arbitrum, Linea, Blast, Mantle, and Scroll. The bridge connecting those chains was built using LayerZero’s cross-chain messaging system and configured with a single-verifier design. One source of truth. No second opinion. No fallback.

The bridge held the rsETH reserve backing every wrapped version of the token deployed on every one of those 20 networks.

The attackers compromised two of KelpDAO’s internal RPC nodes, the computers functioning as the listening and reporting layer of the blockchain application. They then launched a denial-of-service attack against the external nodes. With external verification sources knocked offline, the bridge’s sole verifier had nowhere to check except the compromised internal data.

The compromised nodes fed the verifier a false narrative: that 116,500 rsETH had been burned on the source chain. The verifier saw confirmation from its only available source. It accepted the cross-chain message. The Ethereum bridge contract released 116,500 rsETH, approximately $292 million at the time, to an attacker-controlled address.

The rsETH had not been burned. It was minted. Every token released was unbacked.

This is what makes the KelpDAO exploit particularly important to understand. Every on-chain transaction was valid. The validator’s signature was valid. The message format was valid. The release function executed exactly as designed. Chainalysis described the attack as targeting the off-chain verification layer on which many cross-chain protocols depend. Transaction-by-transaction monitoring, the type most protocol security systems rely on, would not have flagged a single call.

The bridge worked correctly. It trusted the wrong data.

The emergency multisig froze core contracts 46 minutes after the drain. Two follow-up attempts at 18:26 and 18:28 UTC both failed. Each carried an additional 40,000 rsETH drain worth roughly $100 million. The pause mechanism stopped them. The 116,500 rsETH, however, was already gone, along with the backing for rsETH across 20 chains simultaneously.

KelpDAO offered a 10% bounty, approximately $29.2 million, for the return of funds. The funds did not return.

The contagion spread fast. Aave froze its rsETH markets to prevent new deposits and borrowing against potentially worthless collateral. SparkLend and Fluid followed. Aave’s token fell 20% during Asian trading hours. More than $14 billion in total value locked exited DeFi protocols within days as users pulled exposure from bridged assets across the sector.

The Arbitrum Security Council exercised emergency powers on April 20 and froze approximately $75 million in ETH held by the exploiter’s address on Arbitrum One. The intervention, which was coordinated with law enforcement, moved the funds to an intermediary wallet without affecting other Arbitrum users or chain state. It is the largest emergency action in Arbitrum’s history.

The remaining $175 million went through THORChain.

The Exit Architecture

THORChain is a decentralized cross-chain liquidity protocol. It enables native asset swaps across different blockchains without wrapped tokens, without identity checks, and without operator intervention. It is infrastructure that makes cross-chain movement genuinely useful. It is also the primary laundering rail for state-sponsored cryptocurrency theft.

THORChain processed the majority of proceeds from the Bybit breach in 2025. It processed the majority of KelpDAO proceeds in 2026. Its consistent stated position is that blocking illicit activity constitutes censorship. The protocol has declined to intervene in every publicly documented case. Its founder, JP Thorbjornsen, was personally targeted by suspected North Korean hackers in 2025. The protocol kept running.

The KelpDAO hackers converted approximately $175 million in stolen ETH to Bitcoin through THORChain after the Arbitrum freeze cornered part of their haul. TRM Labs notes this phase was handled largely by Chinese intermediaries rather than the North Korean operatives directly. The laundering network is compartmentalized by design.

The Drift funds followed a different playbook. Proceeds were bridged to Ethereum and converted to ETH shortly after the theft. Then they went dormant. TRM’s assessment is that these funds will remain inactive for months or years before a structured, multi-phase cashout operation begins. North Korea has run this pattern repeatedly. After Bybit, the funds dispersed across hundreds of wallets and largely disappeared before any coordinated cashout began. Patience is operational doctrine.

A7A5, the ruble-backed sanctions evasion stablecoin I covered previously, uses a similar compartmentalized exit structure. The geographic overlap between North Korean crypto laundering networks and Russian sanctions evasion infrastructure is not coincidental. Both operations share reliance on Chinese OTC desks and protocols built to resist interdiction.

The State’s Return on Investment

TRM Labs reports that North Korean hacking groups stole approximately $577 million through April 2026, representing 76% of all global cryptocurrency hack losses during the period.

Two attacks. 3% of the total incident count. 76% of total value stolen.

North Korea’s share of global crypto hack losses has grown every year without exception.

Below 10% in 2020 and 2021. 22% in 2022. 37% in 2023. 39% in 2024. 64% in 2025. 76% through April 2026.

Cumulative attributed theft since 2017 exceeds $6 billion. The Chainalysis 2026 Crypto Crime Report estimates DPRK actors stole $2.06 billion across 80 incidents in 2025 alone, a 51% year-over-year increase. TRM’s Ari Redbord, a former senior US Treasury official, described the 2026 campaign not as a broader operation but as a sharper one, with the group moving faster and more precisely than in prior years.

TRM analysts have noted that North Korean operators appear to be incorporating AI tools into their reconnaissance and social engineering workflows, consistent with the increasing precision of operations like Drift. A six-month campaign involving in-person conference appearances, technically credible ecosystem participation, and multi-week pre-signed transaction staging is not improvised. It is institutional.

According to the UN, stolen funds feed North Korea’s ballistic missile and nuclear weapons programs. According to CrowdStrike, UNC4736 operates with a mandate for baseline revenue generation. The crypto industry is not just experiencing financial losses. It is functioning as part of a state weapons financing system.

What the Industry Does Instead

After Drift, Drift issued a post-mortem. After KelpDAO, KelpDAO issued a post-mortem. Chainalysis published detailed breakdowns. Security firms published attribution reports. Conference panels convened. The industry called for stronger key management, wider use of multi-signature schemes, AI-assisted monitoring, and user-level insurance products.

None of it addresses the structural problem.

Bridges hold large pools of locked assets on one chain while issuing representative tokens on another. The correctness of that system cannot be evaluated by looking at one chain in isolation. Cross-chain verification requires consensus across multiple independent sources. When a bridge is built with a single verifier, a single compromised source controls the entire system. That is not an implementation error. That is an architectural choice.

KelpDAO’s bridge held $1.2 billion in total value locked at the time of the attack. The contract was audited. The audit passed. The vulnerability was in the configuration, in the decision to build a 1-of-1 verification setup for a system backing hundreds of millions in user assets across 20 chains.

The Ronin Bridge lost $625 million in March 2022 through compromised validator keys. Wormhole lost $320 million in February 2022 through a signature verification bug. Nomad lost $190 million in August 2022 through a configuration error. Every cycle brings new bridges. Every new bridge carries the same assumptions.

The Drift exploit is arguably more significant because of what it proved. There was no smart contract bug. There was no oracle manipulation. There was no configuration error. There was only a governance architecture built on the assumption that people with administrative access could be trusted indefinitely, with no timelock on critical transactions, no minimum liquidity threshold for oracle assets, and no procedure for signers to verify the actual content of a transaction before approving it.

Two audits cleared that architecture. Two audits found nothing wrong.

“We’ve been over-indexing on code audits while under-investing in operational security, governance architecture, and human-factors analysis,” Marcus Reinhardt at Blockchain Defense Group said after the exploit. The most sophisticated attackers do not need to find bugs in the code. They find bugs in the organization.

What the Regulation Does Not Address

The GENIUS Act, which I have covered in depth, regulates stablecoin issuance. Payment stablecoin issuers must maintain reserves, publish monthly attestations, and submit to federal oversight. It passed into law this year.

It does not address what happens when a stablecoin issuer watches $232 million move through its own protocol during an active state-sponsored heist and chooses not to act. The GENIUS Act does not require issuers to monitor for theft. It does not require issuers to freeze funds linked to active North Korean laundering operations. It creates a licensing regime for issuance. The moment of greatest potential intervention, an active multi-hour laundering event during business hours, is not in scope.

Circle has the technical capacity to freeze USDC. It has exercised that capacity in other contexts. When the Drift laundering ran through CCTP for six hours during business hours, Circle’s infrastructure was the chokepoint. It did not choke.

Tether, which I have also covered, has a different track record. Tether has frozen wallets connected to OFAC sanctions targets and law enforcement requests. The contrast between the two largest stablecoin issuers on this specific question is documented and consequential.

No proposed legislation addresses the THORChain exit door. No bill holds bridge architects accountable for single-verifier designs. The exit architecture that turned $577 million in stolen assets into Bitcoin with no operator intervention remains fully operational.

This week, THORChain itself was exploited for $10.8 million on May 15, 2026, across nine chains, forcing a full trading halt. Three days later, on May 18, the Verus-Ethereum Bridge was drained for $11.58 million. The attacker funded the wallet with 1 ETH through Tornado Cash approximately 14 hours before the exploit. Verus had issued an emergency security patch just two days earlier for a separate vulnerability. The timing is consistent with a targeted operation.

Total losses from crypto hacks in 2026 have exceeded $771 million across 47 separate incidents. The year is five months old.

What I Am Telling You

The bridge hack pattern is not a series of unfortunate incidents. It is the predictable output of architectural decisions made consistently across the industry for years.

Build a bridge with a single point of trust. Audit the contracts. Clear the audit. Issue wrapped tokens across 20 chains. Hold $1 billion in the reserve. Wait.

The attackers are patient. The playbook does not change because the target keeps rebuilding the same vulnerability.

The stablecoin issuer with the technical capacity to act chose not to act during the six-hour laundering window. The protocol that processes the stolen funds calls intervention censorship. The regulatory framework that claims to address stablecoin risk does not address any of this.

North Korea’s share of global crypto hack losses has risen from below 10% to 76% in five years. The curve is not plateauing. The operations are becoming more sophisticated, more patient, and increasingly AI-assisted.

I’m not sayingthe exits can’t be closed. I’m telling you nobody is closing them.

Strident Citizen is independent and reader funded. No ads. No institutional backing. Every article is free to read. If this kind of investigative journalism matters to you, a paid subscription is the most direct way to keep it going.