North Korean Hackers Swipe $600M in Record Month, Experts Blame Sophisticated AI Tools

$600 Million Stolen in Two DeFi Breaches

North Korean state-backed hackers have siphoned over $600 million from decentralized finance (DeFi) protocols in April alone, cybersecurity analysts confirm. The theft marks the most lucrative month for the regime's cyber operations, with attackers deploying advanced artificial intelligence to evade detection and accelerate exploits.

Two attacks accounted for the bulk of the losses: a $285 million heist from Drift Protocol on April 1 and a second breach on April 18 targeting Kelp DAO. The combined haul exceeds the previous monthly record by over $200 million, according to blockchain security firm Chainalysis.

Drift Protocol: Months-Long Social Engineering

Attackers drained approximately $285 million from Drift Protocol, a Solana-based derivatives exchange, after infiltrating the team as a fake quantitative trading firm. They spent months building trust with employees before tricking them into authorizing malicious transactions.

AI chatbots and deepfake audio were used to simulate real-time interactions, making the impersonation nearly undetectable. This was not a simple phishing campaign; it was a highly coordinated operation that leveraged AI to mimic human behavior perfectly, said Sarah Chen, a cybersecurity analyst at TRM Labs. The hackers even passed video verification checks.

Kelp DAO Exploit: Single-Verifier Weakness

On April 18, a separate group exploited a single-verifier flaw in Kelp DAO’s smart contract code. The vulnerability allowed them to bypass multi-party approval and extract funds directly from the protocol’s liquid staking pool. The stolen amount is estimated at $315 million, though final audits are pending.

This exploit demonstrates how North Korean hackers are using AI to identify and crack code weaknesses far faster than traditional manual methods, explained Mark Zhao, a DeFi security researcher at SlowMist. They burned through Kelp's security layers in hours, not days.

Background: North Korea's Evolving Cyber Arsenal

North Korean hacking groups like Lazarus and APT38 have long targeted crypto exchanges. But the shift to AI-driven attacks represents a major escalation. Machine learning models now assist in reconnaissance, vulnerability scanning, and even generating convincing phishing messages in multiple languages.

Both breaches share ties to the BlueNoroff subgroup, known for focusing on DeFi and blockchain projects. The U.S. Treasury Department has linked these groups to over $3 billion in thefts since 2017.

What This Means: DeFi's Urgent Security Overhaul

DeFi platforms now face a new normal where AI-powered adversaries can mimic legitimate partners and exploit code at machine speed. Traditional security measures—like manual code audits and basic KYC checks—are no longer sufficient.

Industry leaders are calling for mandatory AI-driven threat detection, real-time behavioral analysis, and decentralized verification protocols. We need to fight AI with AI, urged Dr. Lisa Park, a blockchain ethics professor at MIT. Every DeFi project must now consider a dedicated cyber AI unit as essential infrastructure.

In response, several projects have announced emergency security summits and bug bounty expansions. However, experts warn that without coordinated regulatory frameworks, North Korea will continue to exploit gaps. The $600 million month may be just the beginning.