North Korean State Actors Target DeFi Infrastructure in $500 Million Heist Wave

North Korea-linked hacking groups have executed a sophisticated series of exploits targeting decentralized finance (DeFi) protocols, resulting in losses exceeding $500 million over a two-week period. The most recent attack targeted Kelp, a restaking protocol integrated with LayerZero’s cross-chain infrastructure, following a similar breach at the trading firm Drift. Unlike traditional hacks that rely on cracking encryption or finding software bugs, the Kelp exploit manipulated data inputs to force the system to approve fraudulent transactions. Security experts note that the system verified the identity of the sender but failed to verify the truth of the message, effectively accepting 'signed lies' to authorize transfers. A critical vulnerability was traced to a configuration choice where Kelp relied on a single verifier to approve cross-chain messages. While this setup increases speed and simplicity, it removes essential safety layers. LayerZero has since advised the use of multiple independent verifiers to mitigate such risks, though critics argue that unsafe defaults should not be offered as options. The fallout has extended beyond the immediate targets. Because Kelp assets were utilized as collateral on lending platforms such as Aave, the exploit has triggered a wider stress event across the DeFi ecosystem. This 'chain of IOUs' effect demonstrates how vulnerabilities in infrastructure layers can create systemic contagion. Analysts suggest the Lazarus group is now prioritizing cross-chain and restaking infrastructure. These layers are highly complex and hold immense value, making them prime targets for state-sponsored actors seeking to fund national objectives through the hijacking of digital assets.