← North Korea Lazarus Group — H1 2026 Systematic Crypto Theft Campaign1 decision on this page
Audit log
Every state-changing event for North Korea Lazarus Group — H1 2026 Systematic Crypto Theft Campaign: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.
- #1publishby system:backfill2026-07-02 23:31:58ZScore: ? → ? (no score change)anchoranchored
- chain
- ●mainnet-betaslot 430,405,328
- sig
88JofaZwNvow…GRjR2pEQexplorer ↗- hash
D3SsVPawhNeP…omSkSUensha256 → base58
verifying row…full verify ↗canonical bytes (39363 B) ▸
{"actor":"system:backfill","investigation_id":"dd0db8d8-86d7-4988-95a1-b35ea4d655cf","kind":"publish","page_slug":"north-korea-lazarus-group-h1-2026-systematic-crypto-theft-campaign","published_at":"2026-07-02T23:31:58.584Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"North Korea Lazarus Group — H1 2026 Systematic Crypto Theft Campaign","sections":[{"content":"The H1 2026 theft campaign is attributed to the Democratic People's Republic of Korea (DPRK) through multiple overlapping threat actor clusters tracked under different vendor taxonomies. TRM Labs attributes the campaign to 'North Korean operators tied to the Lazarus Group.' Mandiant/Google Threat Intelligence tracks the same actors under UNC4736, also known as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pisces. Drift Protocol's own post-incident analysis cited 'medium confidence' attribution to UNC4736. The group operates within the DPRK's Reconnaissance General Bureau (RGB), with specific units including Lab 110/Bureau 121 (major heists and strategic intelligence), Bureau 325 (cryptocurrency targeting), and the 3rd Bureau which houses financially motivated sub-units including BlueNoroff, Sapphire Sleet, and TraderTraitor. Lazarus Group has been formally designated by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC). A separate March 12, 2026 OFAC action sanctioned six individuals and two entities — including Amnokgang Technology Development Company — for facilitating DPRK IT worker fraud schemes that generated nearly $800 million in 2024 alone.","heading":"Attribution and Organizational Structure","severity":"critical","sources":[{"credibility":2,"name":"TRM Labs H1 2026 Crypto Hacks Report","type":"research","url":"https://www.trmlabs.com/resources/blog/h1-2026-crypto-hacks-reach-record-high-as-losses-fall-below-usd-1-billion"},{"credibility":1,"name":"OFAC Lazarus Group Designation — OFAC Sanctions Search","type":"regulatory","url":"https://sanctionssearch.ofac.treas.gov/Details.aspx?id=27307"},{"credibility":1,"name":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses — U.S. Department of the Treasury, March 12, 2026","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0416"},{"credibility":2,"name":"Lazarus Group: The Uncomfortable Truth About How North Korea Steals Billions — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/insights/lazarus-group-the-uncomfortable-truth-about-how-north-korea-steals-billions/"}]},{"content":"On April 1, 2026, approximately $285 million in user assets were drained from Drift Protocol, a decentralized perpetual futures exchange built on Solana, in roughly 12 minutes. TRM Labs and Elliptic both assessed the attack as likely perpetrated by North Korean state-sponsored actors. The attack is the second-largest exploit in Solana's history, behind the 2022 Wormhole bridge hack ($326 million). The operation was the culmination of a campaign that allegedly began in the fall of 2025. Attackers allegedly posed as a legitimate quantitative trading firm, deposited over $1 million of their own capital into Drift, and cultivated relationships with protocol contributors — reportedly appearing in person at multiple industry conferences over a period of months. The individuals who appeared in person were not North Korean nationals; DPRK threat actors at this operational level are known to deploy third-party intermediaries for face-to-face contact. The attack vector was not a smart contract vulnerability. Attackers allegedly used social engineering to induce Drift Security Council multisig signers into pre-signing transactions that appeared routine but carried hidden authorizations for critical administrative actions. Separately, on March 27, 2026, Drift migrated its Security Council to a new 2-of-5 threshold configuration with zero timelock, eliminating the delay that would have permitted detection and intervention. Attackers also manufactured a fictitious asset, CarbonVote Token (CVT), minting 750 million units with a few thousand dollars in seeded liquidity on Raydium and using wash trading to artificially establish a near-$1 price history. Drift's oracles accepted CVT as legitimate collateral. On-chain staging began March 11, 2026 with a 10 ETH withdrawal from Tornado Cash, deployed around 09:00 Pyongyang Standard Time. Durable nonce accounts — a legitimate Solana feature enabling pre-signed transactions to execute later without expiration — were created between March 23 and March 30. The drain executed on April 1 in approximately 12 minutes. Stolen USDC was moved across more than 100 transactions via Circle's Cross-Chain Transfer Protocol over six hours during U.S. business hours. The DRIFT token declined over 40% following the exploit.","heading":"Drift Protocol Exploit — $285 Million (April 1, 2026)","severity":"critical","sources":[{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol in $285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":2,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":1,"name":"The long con: How North Korean spies spent months in-person to drain $285 million from Drift — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/30/north-korean-hackers-are-moving-faster-they-account-for-76-of-crypto-exploits-this-year-trmlabs"},{"credibility":2,"name":"Drift Protocol Exploit: Why 'Social Trust' Is the Newest Cybersecurity Gap — Crowell & Moring LLP","type":"other","url":"https://www.crowell.com/en/insights/client-alerts/drift-protocol-exploit-why-social-trust-is-the-newest-cybersecurity-gap"}]},{"content":"On April 18, 2026, approximately $292 million in rsETH (116,500 rsETH) was drained from KelpDAO's cross-chain bridge via LayerZero infrastructure, in what LayerZero Labs attributed to North Korea's Lazarus Group and specifically the TraderTraitor sub-cluster. The attack targeted off-chain infrastructure rather than smart contract logic. Attackers allegedly gained access to the list of RPC endpoints used by the LayerZero Labs Decentralized Verification Network (DVN), then compromised two independent RPC nodes running on separate clusters. They replaced binaries on the compromised nodes with custom malicious op-geth node software that forged verification messages to the DVN while reporting truthfully to all other IP addresses — including LayerZero's own Scan service — to evade detection. Attackers concurrently conducted DDoS attacks on the uncompromised RPC nodes, forcing failover to the poisoned nodes. The exploit was enabled in part by KelpDAO's bridge configuration: at the time of the incident, KelpDAO used a 1-of-1 DVN setup with LayerZero Labs as the sole verifier — a configuration that LayerZero states contradicts its own multi-DVN redundancy recommendations. LayerZero subsequently blamed KelpDAO's setup; KelpDAO countered that LayerZero had approved the configuration. Funds were released against a non-existent burn on the source chain. The exploit cascaded across nine interconnected protocols, triggered an estimated $10 billion withdrawal wave from Aave, caused approximately $8.54 billion in Aave deposit losses, and contributed to an approximately $200 million bad-debt crisis on that platform. On April 21, 2026, Arbitrum's Network Security Council froze 30,766 ETH (approximately $71 million) of attacker funds, recovering roughly 25% of the stolen assets. The KelpDAO hack represented the largest single crypto theft in H1 2026.","heading":"KelpDAO Bridge Exploit — $292 Million (April 18, 2026)","severity":"critical","sources":[{"credibility":2,"name":"LayerZero Labs KelpDAO Incident Report — LayerZero","type":"official","url":"https://layerzero.network/blog/layerzero-labs-kelpdao-incident-report"},{"credibility":2,"name":"KelpDAO Incident Statement — LayerZero","type":"official","url":"https://layerzero.network/blog/kelpdao-incident-statement"},{"credibility":1,"name":"LayerZero blames Kelp's setup for $290 million exploit, attributes it to North Korea's Lazarus — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"Kelp says LayerZero approved setup it blamed for $292 million bridge hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"credibility":2,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":2,"name":"KelpDAO suffers $290 million heist tied to Lazarus hackers — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/"},{"credibility":2,"name":"LayerZero Post Mortem Shows Lazarus Group Stole $290M From KelpDAO via RPC Node Compromise — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/lazarus-kelpdao-290m-layerzero-rpc-hack-da50p3"},{"credibility":2,"name":"KelpDAO confirms $290M hack linked to North Korea's Lazarus Group — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/kelpdao-confirms-290m-hack-linked-to-north-koreas-lazarus-group/"}]},{"content":"TRM Labs' H1 2026 report identifies a documented shift in DPRK attack methodology away from direct smart contract exploits and toward infrastructure-level and human-layer compromise. Smart contract exploits accounted for approximately 125 of 207 H1 2026 incidents (roughly 60%) but represented a smaller share of total losses. By contrast, infrastructure and operational compromises — including compromised private keys, custody systems, and signing infrastructure — accounted for approximately 15% of incidents but roughly 76% of total stolen value. Across the Drift and KelpDAO incidents, the common thread is not a cryptographic or code-level vulnerability but the compromise of trusted human or operational systems: multisig signers deceived into pre-signing malicious transactions in the Drift case, and RPC node binaries replaced with forged verification software in the KelpDAO case. TRM Labs' Global Head of Policy, Ari Redbord, stated: 'North Korea is moving faster and more precisely than ever' and 'The industry has improved at auditing code, but our operational security has not kept pace with our on-chain complexity.' The DPRK apparatus has also increasingly relied on embedding IT workers inside targeted crypto organizations to gain privileged system access over extended periods before executing large-scale drains. The FBI and DOJ have described this as the largest identity-theft operation of its kind.","heading":"Shift in Attack Methodology: Infrastructure and Human Layer Compromise","severity":"critical","sources":[{"credibility":2,"name":"TRM Labs H1 2026 Crypto Hacks Report","type":"research","url":"https://www.trmlabs.com/resources/blog/h1-2026-crypto-hacks-reach-record-high-as-losses-fall-below-usd-1-billion"},{"credibility":1,"name":"North Korean hackers are moving faster — they account for 76% of crypto exploits this year: TRM Labs — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/30/north-korean-hackers-are-moving-faster-they-account-for-76-of-crypto-exploits-this-year-trmlabs"},{"credibility":2,"name":"DPRK Employment Fraud Targeting Crypto Companies — Nisos","type":"research","url":"https://nisos.com/blog/dprk-employment-fraud-crypto-companies/"},{"credibility":2,"name":"DPRK Employment Fraud Targeting Crypto Companies — Security Boulevard","type":"news_article","url":"https://securityboulevard.com/2026/05/dprk-employment-fraud-targeting-crypto-companies/"}]},{"content":"A parallel DPRK revenue and access vector documented across multiple intelligence reports involves North Korean nationals fraudulently obtaining remote employment at Western technology and cryptocurrency firms. CrowdStrike identified a 220% year-over-year increase in North Koreans gaining fraudulent employment at Western companies in 2025. Estimates from multiple researchers suggest up to 20% of crypto firms may unknowingly employ North Korean workers, and that 30-40% of crypto job applicants at some firms may represent DPRK infiltration attempts. The U.S. State Department estimated DPRK IT worker schemes generated approximately $800 million in 2024. OFAC's March 2026 action sanctioned six individuals and two entities — including Nguyen Quang Viet, Do Phi Khanh, Hoang Van Nguyen, Yun Song Guk, Hoang Minh Quang, York Louis Celestino Herrera, Amnokgang Technology Development Company, and Quangvietdnbg International Services Company Limited — for facilitating these schemes across Vietnam, Laos, and Spain. Treasury stated that 'North Korean regime targets American companies through deceptive schemes carried out by its overseas IT operatives, who weaponize sensitive data and extort businesses for substantial payments.' TRM Labs' H1 2026 report cited a 220% rise in DPRK IT worker infiltration cases in 2025 and noted expanded reliance on IT worker infiltration at exchanges, custodians, and web3 firms to accelerate initial access and lateral movement ahead of large-scale theft. Beyond standard employment fraud, DPRK operatives have also adopted recruiter impersonation — posing as hiring managers for prominent web3 and AI firms and orchestrating fake technical screens designed to harvest credentials, source code, and VPN or SSO access to the victim's employer.","heading":"DPRK IT Worker Infiltration Campaign","severity":"critical","sources":[{"credibility":1,"name":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses — U.S. Department of the Treasury, March 12, 2026","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0416"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"credibility":2,"name":"OFAC Sanctions DPRK IT Worker Network Funding WMD Programs Through Fake Remote Jobs — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/03/ofac-sanctions-dprk-it-worker-network.html"},{"credibility":1,"name":"U.S. sanctions network that allegedly laundered $800 million in crypto for North Korea — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/03/13/u-s-sanctions-6-people-2-companies-that-laundered-usd800-million-in-crypto-for-north-korea"},{"credibility":2,"name":"North Korea has infiltrated up to 20% of crypto firms — Crypto News","type":"news_article","url":"https://crypto.news/north-korea-has-infiltrated-up-to-20-of-crypto-firms/"},{"credibility":1,"name":"North Korean workers are taking remote U.S. jobs. This company set a trap to expose one — NBC News","type":"news_article","url":"https://www.nbcnews.com/investigations/north-korea-it-worker-scheme-nisos-fbi-rcna245025"},{"credibility":2,"name":"From Deepfakes to Sanctions Violations: The Rise of North Korean Remote IT Worker Schemes — Crowell & Moring LLP","type":"other","url":"https://www.crowell.com/en/insights/client-alerts/from-deepfakes-to-sanctions-violations-the-rise-of-north-korean-remote-it-worker-schemes"}]},{"content":"DPRK-attributed cryptocurrency theft since 2017 has now exceeded $6 billion, according to TRM Labs, with the figure representing only incidents where attribution confidence is assessed as medium or higher based on on-chain analysis, operational tradecraft, and corroborating intelligence. Chainalysis, in its full-year 2025 report published in December 2025, placed the all-time DPRK theft total at approximately $6.75 billion across roughly 270 incidents. The year-by-year escalation documented by multiple firms is: 2022 — approximately $810 million (16 incidents); 2023 — approximately $647 million (27 incidents); 2024 — approximately $975 million (62 incidents); 2025 — approximately $2.06 billion (80 incidents, a 51% year-over-year increase); H1 2026 — $643 million attributed. North Korea's share of total global crypto hack losses has risen from below 10% in 2020-2021 to 22% in 2022, 37% in 2023, 39% in 2024, 64% in 2025, and 66% in H1 2026. The February 2025 Bybit hack ($1.5 billion, attributed by the FBI to Lazarus Group) was the single largest crypto theft on record before H1 2026 and involved compromise of a Safe{Wallet} developer's workstation via social engineering, enabling malicious JavaScript injection into the multisig interface. Prior major incidents include the 2022 Axie Infinity/Ronin bridge hack ($622 million) and the 2022 Harmony Horizon bridge hack ($100 million), both formally attributed by the FBI and OFAC.","heading":"Cumulative Scale and Historical Context","severity":"high","sources":[{"credibility":2,"name":"The Block: North Korea accounts for 76% of 2026 crypto hack losses, with theft since 2017 topping $6 billion: TRM Labs","type":"news_article","url":"https://www.theblock.co/post/399569/north-korea-accounts-for-76-of-2026-crypto-hack-losses-with-theft-since-2017-topping-6-billion-trm-labs"},{"credibility":2,"name":"2025 Crypto Theft Reaches $3.4 Billion — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":1,"name":"North Korea stole $2 billion in crypto in 2025, Chainalysis says — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/12/18/north-korean-hackers-stole-a-record-usd2b-of-crypto-in-2025-chainalysis-says"},{"credibility":1,"name":"North Korea stole a record $2B in crypto this year — The Register","type":"news_article","url":"https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025"},{"credibility":2,"name":"FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist — Picus Security","type":"news_article","url":"https://www.picussecurity.com/resource/blog/fbi-north-korean-lazarus-group-bybit-crypto-heist"},{"credibility":1,"name":"The ByBit Heist and the Future of U.S. Crypto Regulation — CSIS","type":"research","url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"}]},{"content":"Following major thefts, DPRK-linked actors have demonstrated patient, multi-year cash-out patterns that complicate asset recovery. After the Drift Protocol exploit, stolen USDC was converted and bridged across 100+ transactions using Circle's Cross-Chain Transfer Protocol within hours. In the KelpDAO case, proceeds were converted to USDC, bridged to Ethereum, and swapped to ETH — a pattern consistent with prior DPRK laundering tradecraft. Chainalysis documented a 45-day laundering cycle following major thefts in 2025. DPRK actors show documented preference for Chinese-language over-the-counter money laundering services, bridge protocols, and mixing services. OFAC sanctioned Blender.io (May 2022) and Tornado Cash (November 2022) for providing mixing services to Lazarus Group. Sinbad.io was subsequently sanctioned in late 2023 for processing millions in Lazarus proceeds including from the Horizon Bridge and Axie Infinity heists. Multiple researchers have noted that Circle, as USDC issuer, holds unilateral authority to freeze stolen funds but reportedly did not act on DPRK-linked transactions during the Drift exploit despite the transactions occurring during U.S. business hours.","heading":"Fund Laundering Patterns","severity":"high","sources":[{"credibility":1,"name":"Treasury Sanctions Mixer Used by the DPRK to Launder Stolen Virtual Currency (Blender.io) — U.S. Department of the Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/jy1933"},{"credibility":1,"name":"Treasury Targets DPRK Malicious Cyber and Illicit IT Worker Activities — U.S. Department of the Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/jy1498"},{"credibility":2,"name":"OFAC sanctions individuals, entities, and crypto wallets associated with North Korean cyber activities — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/ofac-sanctions-individuals-entities-and-crypto-wallets-associated-with-north-korean-cyber-activities"},{"credibility":2,"name":"Lazarus Group: The Uncomfortable Truth About How North Korea Steals Billions — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/insights/lazarus-group-the-uncomfortable-truth-about-how-north-korea-steals-billions/"}]},{"content":"The two April 2026 attacks had cascading effects on broader DeFi markets. The KelpDAO exploit alone triggered an estimated $10-$13 billion withdrawal wave from Aave, resulting in approximately $8.54 billion in deposit losses and a roughly $200 million bad-debt crisis on that platform. DeFi total value locked (TVL) fell to approximately $70 billion by H1 2026, a two-year low, down from $120 billion earlier in the year, with $55 billion in capital outflows attributed to the period. The DRIFT token declined over 40% following the Drift Protocol exploit. The cumulative impact of DPRK theft operations on market confidence was cited by multiple analysts as a contributing factor to accelerated DeFi outflows.","heading":"Market and Ecosystem Impact","severity":"high","sources":[{"credibility":2,"name":"Crypto Hacks Hit Record High in H1 2026: What's Fueling the Surge — AMB Crypto","type":"news_article","url":"https://ambcrypto.com/crypto-hacks-hit-record-high-in-h1-2026-whats-fueling-the-surge/"},{"credibility":2,"name":"TRM Labs H1 2026 Crypto Hacks Report","type":"research","url":"https://www.trmlabs.com/resources/blog/h1-2026-crypto-hacks-reach-record-high-as-losses-fall-below-usd-1-billion"},{"credibility":1,"name":"North Korean hackers tied to $290M crypto heist, firm says — UPI","type":"news_article","url":"https://www.upi.com/Top_News/World-News/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/"}]},{"content":"The U.S. government response to DPRK cryptocurrency theft has included formal FBI attribution statements, OFAC sanctions on infrastructure (mixers, individuals, entities), and DOJ criminal indictments in prior years. The March 12, 2026 OFAC action targeted a network operating across Vietnam, Laos, and Spain with six individuals and two entities sanctioned for facilitating IT worker fraud generating approximately $800 million in 2024. The U.S. Attorney for the District of Columbia described the broader DPRK IT worker scheme as a 'code red,' and the DOJ has characterized it as the largest identity-theft operation of its kind. CSIS analysis following the February 2025 Bybit hack called for updated U.S. crypto regulation to address the systemic vulnerability exposed by state-sponsored attacks at this scale. The Treasury Department's press releases confirm that DPRK cryptocurrency theft proceeds are directed toward the country's weapons of mass destruction and ballistic missile programs. No criminal prosecutions of DPRK nationals directly involved in H1 2026 hacks had been publicly announced as of the reporting date, consistent with the jurisdictional constraints of prosecuting state-sponsored actors in sanctioned jurisdictions.","heading":"Regulatory and Government Response","severity":"high","sources":[{"credibility":1,"name":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses — U.S. Department of the Treasury, March 12, 2026","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0416"},{"credibility":1,"name":"Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group — U.S. Department of the Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm924"},{"credibility":1,"name":"The ByBit Heist and the Future of U.S. Crypto Regulation — CSIS","type":"research","url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"},{"credibility":2,"name":"Beyond IT Worker Fraud: OFAC's Latest DPRK Designations Show Broader Sanctions and National Security Risk — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/beyond-it-worker-fraud-ofacs-latest-dprk-designations-show-broader-sanctions-and-national-security-risk"}]}],"sources_used":[{"credibility":2,"name":"TRM Labs H1 2026 Crypto Hacks Report","type":"research","url":"https://www.trmlabs.com/resources/blog/h1-2026-crypto-hacks-reach-record-high-as-losses-fall-below-usd-1-billion"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol in $285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"LayerZero Labs KelpDAO Incident Report — LayerZero","type":"official","url":"https://layerzero.network/blog/layerzero-labs-kelpdao-incident-report"},{"credibility":2,"name":"KelpDAO Incident Statement — LayerZero","type":"official","url":"https://layerzero.network/blog/kelpdao-incident-statement"},{"credibility":1,"name":"LayerZero blames Kelp's setup for $290 million exploit, attributes it to North Korea's Lazarus — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"Kelp says LayerZero approved setup it blamed for $292 million bridge hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"credibility":1,"name":"North Korean hackers are moving faster — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/04/30/north-korean-hackers-are-moving-faster-they-account-for-76-of-crypto-exploits-this-year-trmlabs"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":2,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":2,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":2,"name":"KelpDAO suffers $290 million heist tied to Lazarus hackers — Bleeping Computer","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/"},{"credibility":2,"name":"KelpDAO confirms $290M hack linked to North Korea's Lazarus Group — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/kelpdao-confirms-290m-hack-linked-to-north-koreas-lazarus-group/"},{"credibility":2,"name":"LayerZero Post Mortem Shows Lazarus Group Stole $290M From KelpDAO via RPC Node Compromise — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/lazarus-kelpdao-290m-layerzero-rpc-hack-da50p3"},{"credibility":1,"name":"Treasury Sanctions Facilitators of DPRK IT Worker Fraud Targeting U.S. Businesses — U.S. Department of the Treasury, March 12, 2026","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sb0416"},{"credibility":1,"name":"OFAC Lazarus Group Designation — OFAC Sanctions Search","type":"regulatory","url":"https://sanctionssearch.ofac.treas.gov/Details.aspx?id=27307"},{"credibility":1,"name":"Treasury Sanctions Mixer Used by the DPRK to Launder Stolen Virtual Currency — U.S. Department of the Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/jy1933"},{"credibility":1,"name":"Treasury Targets DPRK Malicious Cyber and Illicit IT Worker Activities — U.S. Department of the Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/jy1498"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"credibility":2,"name":"2025 Crypto Theft Reaches $3.4 Billion — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/"},{"credibility":1,"name":"North Korea stole $2 billion in crypto in 2025, Chainalysis says — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/12/18/north-korean-hackers-stole-a-record-usd2b-of-crypto-in-2025-chainalysis-says"},{"credibility":1,"name":"The ByBit Heist and the Future of U.S. Crypto Regulation — CSIS","type":"research","url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"},{"credibility":2,"name":"Lazarus Group: The Uncomfortable Truth About How North Korea Steals Billions — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/insights/lazarus-group-the-uncomfortable-truth-about-how-north-korea-steals-billions/"},{"credibility":2,"name":"Crypto Hacks Hit Record High in H1 2026: What's Fueling the Surge — AMB Crypto","type":"news_article","url":"https://ambcrypto.com/crypto-hacks-hit-record-high-in-h1-2026-whats-fueling-the-surge/"},{"credibility":2,"name":"North Korea has infiltrated up to 20% of crypto firms — Crypto News","type":"news_article","url":"https://crypto.news/north-korea-has-infiltrated-up-to-20-of-crypto-firms/"},{"credibility":1,"name":"North Korean workers are taking remote U.S. jobs. This company set a trap to expose one — NBC News","type":"news_article","url":"https://www.nbcnews.com/investigations/north-korea-it-worker-scheme-nisos-fbi-rcna245025"},{"credibility":2,"name":"OFAC Sanctions DPRK IT Worker Network Funding WMD Programs Through Fake Remote Jobs — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/03/ofac-sanctions-dprk-it-worker-network.html"},{"credibility":1,"name":"U.S. sanctions network that allegedly laundered $800 million in crypto for North Korea — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2026/03/13/u-s-sanctions-6-people-2-companies-that-laundered-usd800-million-in-crypto-for-north-korea"},{"credibility":2,"name":"DPRK Employment Fraud Targeting Crypto Companies — Nisos","type":"research","url":"https://nisos.com/blog/dprk-employment-fraud-crypto-companies/"},{"credibility":2,"name":"Beyond IT Worker Fraud: OFAC's Latest DPRK Designations — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/beyond-it-worker-fraud-ofacs-latest-dprk-designations-show-broader-sanctions-and-national-security-risk"},{"credibility":1,"name":"North Korea stole a record $2B in crypto this year — The Register","type":"news_article","url":"https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025"},{"credibility":2,"name":"TRM Labs North Korea accounts for 76% — crypto.news","type":"news_article","url":"https://crypto.news/trm-labs-north-korea-linked-hackers-drive-76-of-2026-crypto-thefts/"}],"summary":"North Korea-linked threat actors, operating under cluster names including Lazarus Group and TraderTraitor (UNC4736), are alleged to have stolen approximately $643 million in cryptocurrency during the first half of 2026 — representing roughly 66% of the $972 million stolen across 207 documented incidents globally in that period, according to blockchain intelligence firm TRM Labs. Two anchor attacks, the $285 million Drift Protocol exploit on April 1 and the $292 million KelpDAO bridge exploit on April 18, together accounted for approximately 59% of all H1 2026 crypto hack losses. Cumulative DPRK-attributed crypto theft since 2017 has now exceeded $6 billion across an estimated 270+ incidents, according to multiple blockchain intelligence firms.","timeline":[{"date":"2017-01-01","event":"DPRK-linked crypto theft operations began, per TRM Labs attribution baseline. Cumulative total will exceed $6 billion by H1 2026.","source":"TRM Labs H1 2026 Report","source_url":"https://www.trmlabs.com/resources/blog/h1-2026-crypto-hacks-reach-record-high-as-losses-fall-below-usd-1-billion"},{"date":"2022-03-23","event":"Lazarus Group executes $622 million Axie Infinity/Ronin bridge hack, the largest crypto theft to that date. FBI formally attributed it to Lazarus Group in April 2022.","source":"OFAC / FBI attribution","source_url":"https://home.treasury.gov/news/press-releases/jy0768"},{"date":"2022-05-06","event":"OFAC sanctions Blender.io, the first-ever designation of a virtual currency mixer, for providing services to Lazarus Group.","source":"U.S. Department of the Treasury","source_url":"https://home.treasury.gov/news/press-releases/jy1933"},{"date":"2023-12-01","event":"OFAC sanctions Sinbad.io virtual currency mixer for processing millions in Lazarus Group proceeds from the Horizon Bridge and Axie Infinity heists.","source":"OFAC / Chainalysis","source_url":"https://www.whitecollarlawblog.com/2023/12/ofac-sanctions-crypto-mixer-following-allegations-of-laundering-funds-to-north-korea/"},{"date":"2025-02-21","event":"Lazarus Group executes the $1.5 billion Bybit hack, at the time the single largest crypto theft on record, via compromise of a Safe{Wallet} developer's workstation and malicious JavaScript injection.","source":"FBI / Chainalysis / CSIS","source_url":"https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation"},{"date":"2025-12-18","event":"Chainalysis publishes full-year 2025 report: North Korea stole $2.02 billion in 2025, a 51% year-over-year increase, pushing all-time DPRK crypto theft to approximately $6.75 billion.","source":"Chainalysis / CoinDesk","source_url":"https://www.coindesk.com/business/2025/12/18/north-korean-hackers-stole-a-record-usd2b-of-crypto-in-2025-chainalysis-says"},{"date":"2025-09-01","event":"Alleged start of Drift Protocol social engineering campaign. DPRK operatives allegedly began cultivating relationships with Drift contributors, posing as a quantitative trading firm.","source":"TRM Labs / The Hacker News","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-03-11","event":"On-chain staging for Drift Protocol attack begins: 10 ETH withdrawn from Tornado Cash, deployed around 09:00 Pyongyang Standard Time to fund CarbonVote Token deployment.","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-03-12","event":"OFAC sanctions six DPRK IT worker facilitators and two entities (including Amnokgang Technology Development Company) for schemes generating nearly $800 million in 2024.","source":"U.S. Department of the Treasury","source_url":"https://home.treasury.gov/news/press-releases/sb0416"},{"date":"2026-03-23","event":"Attackers create multiple durable nonce accounts on Solana — a feature enabling pre-signed transactions to execute later without expiration — in preparation for the Drift exploit.","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-03-27","event":"Drift Protocol migrates its Security Council to a new 2-of-5 threshold configuration with zero timelock, eliminating the delay that would have permitted detection and intervention.","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"date":"2026-04-01","event":"Drift Protocol is drained of approximately $285 million in roughly 12 minutes. Stolen USDC is moved across 100+ transactions via Circle's CCTP over six hours. DRIFT token falls over 40%.","source":"TRM Labs / Elliptic / The Hacker News","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-04-18","event":"KelpDAO's LayerZero bridge is drained of approximately $292 million in rsETH. Attackers compromise two RPC nodes and DDoS remaining nodes, forcing failover to poisoned infrastructure. Cascading effects trigger an estimated $10 billion Aave withdrawal wave.","source":"LayerZero / Chainalysis / CoinDesk","source_url":"https://layerzero.network/blog/layerzero-labs-kelpdao-incident-report"},{"date":"2026-04-20","event":"LayerZero publishes incident report attributing the KelpDAO exploit to DPRK's Lazarus Group / TraderTraitor, citing KelpDAO's single-DVN configuration as a critical enabling factor.","source":"LayerZero / CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"date":"2026-04-21","event":"Arbitrum Network Security Council freezes 30,766 ETH (approximately $71 million) of KelpDAO attacker funds, recovering roughly 25% of stolen assets.","source":"Crypto Briefing / Spoted Crypto","source_url":"https://cryptobriefing.com/kelpdao-confirms-290m-hack-linked-to-north-koreas-lazarus-group/"},{"date":"2026-04-30","event":"CoinDesk publishes TRM Labs-sourced reporting that DPRK actors account for 76% of 2026 crypto exploit losses through April, with cumulative theft since 2017 topping $6 billion.","source":"CoinDesk / TRM Labs","source_url":"https://www.coindesk.com/business/2026/04/30/north-korean-hackers-are-moving-faster-they-account-for-76-of-crypto-exploits-this-year-trmlabs"},{"date":"2026-05-05","event":"KelpDAO publicly disputes LayerZero's attribution of blame to KelpDAO's configuration, stating that LayerZero had approved the single-DVN setup.","source":"CoinDesk","source_url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"date":"2026-06-30","event":"TRM Labs publishes H1 2026 crypto hacks report: 207 incidents totaling $972 million, with $643 million (66%) attributed to DPRK actors. Q2 2026 recorded 123 incidents, a record-setting quarter.","source":"TRM Labs","source_url":"https://www.trmlabs.com/resources/blog/h1-2026-crypto-hacks-reach-record-high-as-losses-fall-below-usd-1-billion"}]},"v":1}Verify offline (run on your own machine)python -m src.verify_decision 06d90eda-c6fd-44f7-8c0b-b83896591b99
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine —
python -m src.verify_decision <event_id>.