Cyber Incident Victim: KelpDAO
Date:
Apr 2026
Location:
—
Summary
KelpDAO suffered a cyber intrusion that resulted in the theft of approximately $292 million in cryptocurrency. The breach was carried out by a North Korean advanced persistent threat group leveraging AI‑enhanced reconnaissance and social engineering to exploit weaknesses in the platform’s decentralized finance infrastructure. The incident contributed to a larger trend of state‑sponsored crypto heists that have funneled substantial funds to the Democratic People’s Republic of Korea.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 18 2026, the North Korean APT TraderTraitor (also known as Jade Sleet, UNC4899) launched an attack against the infrastructure supporting the KelpDAO decentralized finance platform, resulting in the theft of approximately $292 million in cryptocurrency. This attack followed a earlier operation on April Fool's Day 2026 where the APT Citrine Sleet (aka AppleJeus, Labyrinth Chollima, UNC4736) stole nearly $300 million from the Drift Protocol, and a February 2025 intrusion by TraderTraitor that yielded $1.5 billion from the ByBit exchange. The KelpDAO incident contributed to the total of roughly $575 million stolen by North Korean actors within an 18‑day window in early 2026.
The stolen funds were transferred to wallets linked to the Democratic People's Republic of Korea, adding to the 76% of all cryptocurrency stolen in 2026 that ended up in Pyongyang according to TRM Labs analysis. The loss represented a significant portion of KelpDAO’s assets and underscored the vulnerability of DeFi protocols that rely on single points of trust and lack provenance validation for assets moving between systems. Bradley Smith, senior vice president and deputy CISO at BeyondTrust, noted that the attack succeeded because the targeted infrastructure had no effective governance mechanisms capable of responding at the speed of the exploit.
Following the theft, TRM Labs and other analysts highlighted that the attack chain demonstrated the attackers’ deep technical understanding of KelpDAO’s weak points, including insufficient validation of cross‑system asset transfers and inadequate multisig approval timelines. Smith argued that until DeFi ecosystems enforce trust verification standards comparable to traditional finance, state‑sponsored actors will continue to exploit such platforms as low‑cost funding sources. Ari Redbord of TRM Labs observed that the increasing use of artificial intelligence by North Korean operators has lowered the barrier to crafting convincing social engineering and technical exploits, contributing to a 500% rise in AI‑assisted scams over the past year.
The KelpDAO breach, together with the Drift Protocol and ByBit incidents, illustrates a trend where North Korean threat actors conduct infrequent but high‑reward operations that funnel substantial cryptocurrency wealth to support the DPRK’s strategic objectives, including its nuclear program. The events have prompted industry discussion about the need for real‑time, automated trust validation at the transaction layer to mitigate the risk posed by AI‑enhanced, nation‑state‑scale attacks.