Connect with us

CRYPTO

DeFi Loses $14 Billion as North Korea Hits Kelp DAO and Drift

Published

on

Roughly $14 billion has walked out of decentralized finance in three weeks, and the exit doors weren’t poorly written smart contracts. They were the cross-chain messaging layers that stitch one blockchain to another.

Two state-linked thefts triggered the bleed. North Korea’s Lazarus Group drained $290 million from KelpDAO’s bridge on April 18, then borrowed $230 million from Aave against the stolen tokens. Three weeks earlier, the same group siphoned $285 million from Drift Protocol on Solana. DefiLlama’s DeFi protocol flow dashboard tracks the cumulative outflow at close to $14 billion.

The $14 Billion Bleed

DeFi’s total value locked fell from roughly $99 billion to $85 billion in the 48 hours after the Kelp incident, before continuing to drift lower over the following two weeks. The Financial Times put the cumulative outflow at close to $14 billion as of May 6.

Aave absorbed the worst of it. The lender’s deposits collapsed from $26.4 billion on April 18 to about $20 billion that weekend, a 33% drop in 72 hours that Chainalysis’s KelpDAO bridge exploit post-mortem called one of the steepest single-protocol contractions in recent DeFi history.

The numbers tell the panic clearly.

  • $14 billion: total DeFi TVL drained between April 18 and May 6, per DefiLlama.
  • 33%: Aave’s three-day deposit decline.
  • 14%: Aave V3 stablecoin borrow rate at peak, up from 3.4% before the hack.
  • $5.1 billion: stablecoins frozen under withdrawal constraints during the worst hours.
  • $86 billion: the market’s current size, down from a 2021 peak of roughly $180 billion.

How The Kelp Bridge Broke Aave

The Kelp DAO incident was a different kind of hack. Past DeFi exploits chased private keys or smart contract bugs. This one targeted the connective tissue between chains.

“Past hacks were due to stolen keys or bugs in smart contracts. This one was convincing the vault the thief was actually the owner,” said Ryan Rugg, global head of digital assets at Citi Treasury and Trade Solutions’ digital assets unit, on the From the Block podcast.

One Verifier, Two Compromised Nodes

LayerZero’s post-incident review traced the breach to a 1-of-1 Decentralized Verifier Network setup. Kelp had run its bridge through a single verifier with two RPC nodes feeding it transaction data. Lazarus owned both.

The attackers planted malware that fed false data only to LayerZero’s verifier while returning honest responses to monitoring tools. They then DDoS-ed the legitimate RPC endpoints, forcing the verifier to lean on the poisoned ones. The bridge signed off on a fabricated mint, releasing 116,500 unbacked rsETH worth roughly $292 million. The malware self-destructed before forensics could grab it.

From there, the stolen rsETH flowed straight into Aave V3 as collateral, and the attackers borrowed about 82,600 ETH against it. That left Aave carrying roughly $196 million in bad debt concentrated in a single rsETH-wETH pair, freezing wETH markets across Ethereum, Arbitrum, Base, Mantle, and Linea.

Drift’s April Fool’s Day Drain

The KelpDAO hack didn’t happen in a vacuum. On April 1, attackers drained $285 million from Drift Protocol, the largest perpetual futures venue on Solana. Elliptic’s analysis of the Drift Protocol exploit attributed it to a DPRK-linked group identified by Mandiant.

Drift’s exploit took a social path rather than a cryptographic one. Hackers tricked multisig signers into pre-signing hidden authorizations, then exploited a zero-timelock Security Council migration to gain admin rights. They created a fake collateral token called CVT, wash-traded it to a $1 price on Raydium, fed that price through an oracle they controlled, and borrowed real assets against worthless paper.

Where The Money Went, Not Just Where It Left

Most of the withdrawn capital stayed inside crypto. It just changed addresses.

SparkLend, a stablecoin-only lender, saw deposits jump from $1.89 billion to $3.3 billion in the week after the Kelp incident, an inflow of roughly $1.4 billion. Money market protocols with conservative collateral lists pulled in similar amounts. The pattern looks less like an industry exodus than an internal flight to quality.

Incident Date Amount Method
Drift Protocol April 1, 2026 $285M Multisig social engineering, fake collateral token
KelpDAO bridge April 18, 2026 $290M Compromised LayerZero RPC nodes
Aave (knock-on) April 18 to 20 $230M borrowed Stolen rsETH used as collateral

TRM Labs’ 2026 North Korea crypto theft report calculates that these two attacks alone account for 76% of all stolen crypto value in 2026 so far. Two incidents. One country. Three quarters of the year’s losses.

That concentration matters because it changes the threat model. Industry losses don’t come from a long tail of opportunistic thieves. They come from one professional adversary with state backing, multiyear planning windows, and recurring access to compromised infrastructure.

Why Wall Street’s DeFi Pilots Just Got Harder

The institutional pitch for DeFi has rested on transparency and code-as-law guarantees. The Kelp incident punched a hole through both.

The fallout is severe. The hacks undermine arguments that crypto offers a safer and more transparent alternative to legacy financial rails.

That’s Lucas Tcheyan, research associate at Galaxy, speaking to the Financial Times. His read lands at a delicate moment. Traditional banks have spent the past year piloting tokenized deposits and on-chain settlement rails, and the case for moving real balance sheet onto public chains depends on the rails being safer than the legacy ones.

Rugg, on the same podcast, was blunter on timing. “Does this delay the institutional adoption of DeFi? Maybe. It is going to take some of the confidence out of the market.” Any institutional commitment, she added, will hinge on whether firms can layer proper redundancy and security at every layer where the trust resides, a standard the 1-of-1 verifier setup at Kelp obviously didn’t meet.

The Manhattan Court Fight Over $71 Million

The story didn’t end with the theft. On May 4, Aave filed an emergency motion in the Southern District of New York seeking to vacate a restraining order that had immobilized roughly $71 million in Ethereum tied to the recovery effort. The order had been served on Arbitrum DAO under enforcement actions in older cases involving North Korean assets.

Aave’s filing argues the freeze rests on unverified online attribution and that no court has formally identified the attacker or established a North Korean legal interest in the recovered tokens. The motion sits in front of a federal judge as of this week, with the outcome likely to set the operating template for how DeFi protocols recover stolen funds caught in sanctions enforcement.

Frequently Asked Questions

Is My Aave Deposit Still Safe?

Aave’s core stablecoin and ETH markets remain operational, but the protocol froze the rsETH market on April 19 and temporarily suspended wETH deposits across Ethereum, Arbitrum, Base, Mantle, and Linea. Check the Aave risk dashboard at app.aave.com for the current status of your specific market. The roughly $196 million in bad debt is concentrated in the rsETH-wETH pair, not in the broader USDC or USDT pools.

What Is rsETH and Why Did It Trigger So Much Damage?

rsETH is a liquid restaking token issued by KelpDAO that represents staked ETH plus restaking rewards on EigenLayer. Nine major lending protocols accepted it as collateral, including Aave, Compound, and Euler. When Lazarus minted 116,500 unbacked rsETH through the bridge exploit, the token’s peg broke, forcing every protocol holding rsETH collateral to reprice it at once. That cascading repricing drove most of the $14 billion outflow.

Can Any of the Stolen Funds Be Recovered?

Some can. About $71 million in Ethereum has been frozen under the New York court order, and Drift Protocol has announced a recovery plan funded by protocol revenue, partner contributions, and Tether support that could reach $151 million toward its $295.4 million in user losses. Recovery tokens pegged to verified user balances are the operational path. Full make-whole recovery depends on coordinated freezes by exchanges and stablecoin issuers.

Should I Move My Crypto Out of DeFi Entirely?

That depends on what you hold. The capital that left Aave largely moved to stablecoin-only lenders like SparkLend, not to centralized exchanges or fiat. If your concern is bridge risk specifically, audit which lending protocol holds your collateral and whether that collateral is a wrapped or restaked asset that depends on a cross-chain mint. Native ETH on Aave behaves differently from rsETH on Aave. Treat them differently.

Why Are North Korean Hackers So Successful at This?

The Lazarus Group runs full-time professional operations with multiyear timelines, often planting agents inside crypto firms or compromising infrastructure providers months before striking. The Drift hack used social engineering against multisig signers. The Kelp hack used long-running RPC node compromise. TRM Labs attributes 76% of all 2026 crypto theft value to two Lazarus operations, a concentration that reflects sustained state investment, not lucky one-off opportunism.

The next test for DeFi isn’t a fix to the LayerZero verifier set or an emergency Aave parameter change. It’s whether the protocols that survive this round can convince a Citi or a JPMorgan that their bridges are worth the risk. The dollars that left Aave found a home in SparkLend. The institutional dollars that never arrived are still sitting on the sidelines, watching the Manhattan courtroom.

Disclaimer: This article reports on publicly disclosed cyberattacks and DeFi protocol movements and does not constitute investment advice. Cryptocurrency and DeFi assets carry significant risk including the potential for total loss from exploits, smart contract failures, and bridge compromises. Readers should consult a licensed financial advisor before making any decisions about their digital asset holdings. All figures, TVL data, and protocol statuses cited reflect the publication date and may change rapidly.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending