Breaking news! A national-level hacker organization has raked in $500 million in a single month. The crypto world is facing an “asymmetric war.” Is your assets safe?

Over the past three weeks, a hacker organization associated with a specific country has stolen more than $500 million from decentralized finance platforms. Their attack methods have undergone a fundamental shift: rather than directly attacking core smart contracts, they have turned to weak links in peripheral infrastructure.

In response to two major attacks on Drift Protocol and KelpDAO, the organization’s total illegally obtained crypto assets this year have already exceeded $700 million. Behind the massive losses is a notable upgrade in its tactics: increasingly exploiting complex vulnerabilities and deeply embedded personnel to bypass standard security defenses.

On April 20, cross-chain infrastructure provider LayerZero confirmed that KelpDAO was attacked on April 18, suffering losses of approximately $290 million, making it the largest crypto asset theft case so far this year. Preliminary investigation evidence points directly to TraderTraitor, a specialized unit affiliated with the notorious Lazarus Group.

Just a few weeks earlier, on April 1, the Solana-based decentralized perpetual contract trading platform Drift Protocol was robbed of about $286 million. Blockchain intelligence firm Elliptic quickly linked on-chain money-laundering methods, transaction sequences, and network signatures to the country’s known attack paths, and noted that this was the 18th incident of its kind tracked this year.

The attack methods in April show that attacks on DeFi have entered a more mature stage. Rather than going all-out on the core, attackers search for and attack structural edge vulnerabilities. For example, in the KelpDAO attack, the hackers compromised the downstream RPC infrastructure used by LayerZero Labs’ decentralized verification network.

By tampering with these critical data channels, the attackers manipulated the protocol’s operation without breaking the underlying cryptography. LayerZero has disabled the affected nodes and fully restored the verification network, but the financial losses are beyond recovery. This indirect attack approach reveals a frightening direction in the evolution of cyber warfare.

Blockchain security company Cyvers told the media that the country-linked attackers are becoming increasingly sophisticated, investing more resources in preparing and executing attacks. The company added that attackers can always precisely identify the weakest link; this time, the breakthrough was in third-party components rather than the protocol’s core infrastructure.

This strategy is highly similar to traditional corporate network espionage, and it also means that such attacks are becoming increasingly difficult to defend against. Recent events—such as Google researchers linking the widespread Axios npm software package supply-chain compromise to the country-specific threat organization UNC1069—indicate that attackers are systematically sabotaging software even before it enters the blockchain ecosystem.

Beyond technical breakthroughs, the country is currently carrying out large-scale, organized infiltration of the global cryptocurrency labor market. The threat pattern has completely shifted from remote hacking operations to directly inserting malicious actors into unsuspecting Web3 startups.

The Ketman Project under the Ethereum Foundation’s ETH Rangers security initiative, after six months of investigation, reached a startling conclusion: approximately 100 cyber operatives from the country are embedded within multiple blockchain companies. They use forged identities to easily pass standard HR screenings, obtain access to sensitive internal code repositories, remain silently embedded with product teams for months or even years, and then launch precise attacks.

Independent blockchain investigator ZachXBT further confirmed this intelligence-agency-style infiltration. He recently exposed a covert network operated by the country’s special cyber unit that uses fraudulent identities for remote employment, earning about $1 million per month on average. Through this scheme, cryptocurrencies are transferred to fiat currency via recognized global financial channels, and since the end of 2025 it has processed more than $3.5 million.

Industry insiders estimate that the country’s overall deployed IT personnel generate monthly income of several million dollars on average. This creates two income streams for it: stable salary income and massive protocol thefts facilitated by insiders.

The scale of the country’s digital asset business far exceeds that of any traditional cybercrime group. According to data from blockchain analytics firm Chainalysis, in just 2025 alone, hackers associated with this country stole a record $2 billion, accounting for 60% of the total global crypto thefts that year. Considering the intense attack actions this year, the total amount of crypto assets stolen in its history has reached $6.75 billion.

After funds are secured, Lazarus Group demonstrates a highly specific, regionalized money-laundering pattern. Unlike ordinary crypto criminals who frequently use decentralized exchanges and P2P lending protocols, the country’s hackers deliberately avoid these channels.

On-chain data shows that they heavily rely on escrow transaction services in Chinese-language regions, deep over-the-counter (OTC) brokerage networks, and complex cross-chain mixing services. This preference points to structural restrictions and geographically limited monetization channels, rather than unrestricted access to the global financial system.

Security researchers and industry executives believe attacks can be prevented, but crypto companies must address the same operational weak points exposed across multiple major attacks. Humanity founder Terence Kwok told the media that the country-related attacks are still targeting common vulnerabilities rather than entirely new forms of cyber intrusion.

He believes that attackers are improving their intrusion methods and their ability to transfer stolen funds, but the root causes still lie in poor access control and the risks of centralized operations. He explained that it is shocking that losses are still being blamed on old problems such as access control and single points of failure, which shows the industry has not yet resolved fundamental security discipline issues.

Accordingly, Kwok pointed out that the industry’s first line of defense is to significantly increase the difficulty of cracking asset transfers by implementing stricter controls over private keys, internal permissions, and third-party access. In practice, companies need to reduce reliance on individual operators, limit privileged access, strengthen vendor dependency hardening, and add more verification layers in the infrastructure between core protocols and the outside world.

The second line of defense is speed. Once stolen funds cross chains, cross bridges, or enter money-laundering networks, the probability of recovery drops sharply. Kwok said that exchanges, stablecoin issuers, blockchain analytics firms, and law enforcement agencies must coordinate rapidly within the first few minutes or hours after an attack in order to improve the success rate of fund interception.

His remarks highlight the industry reality: the most vulnerable points in crypto systems often lie at the intersection of code, personnel, and operations. A stolen credential, a weak vendor dependency, or a neglected permissions vulnerability is enough to cause losses of hundreds of millions of dollars. The challenge for DeFi is no longer only writing robust smart contracts, but also safeguarding operational security around protocols before attackers exploit the next weak link.

Follow me: Get more real-time analysis and insights from the crypto market! $BTC $ETH $SOL

#Gate13周年现场直击 # WCTC trading contest—share 8 million USDT #Bitcoin rebound