North Korea’s crypto heist playbook is expanding and DeFi keeps getting hit

1 2 minutes read

Less than three weeks after North Korea-linked hackers used social engineering to target crypto trading firm Drift, hackers associated with the nation have successfully executed another major exploit with Kelp. The attack on Kelp, a restaking protocol integrated with LayerZero’s cross-chain infrastructure, indicates a shift in the tactics employed by North Korea-linked hackers. Instead of solely focusing on exploiting bugs or stolen credentials, they are now targeting the fundamental assumptions underlying decentralized systems.

The recent breaches at Drift and Kelp suggest a coordinated effort by North Korea to infiltrate the crypto sector and hijack funds. Alexander Urbelis, Chief Information Security Officer and General Counsel at ENS Labs, noted that these incidents are not isolated occurrences but rather part of a larger strategy employed by the hackers.

Over $500 million was drained from the Drift and Kelp exploits within a span of just over two weeks. This staggering amount highlights the severity of the situation and the need for enhanced security measures within the crypto industry.

The breach at Kelp did not involve breaking encryption or compromising keys. Instead, the attackers manipulated the data inputs into the system, causing it to approve transactions based on falsified information. This highlights a critical flaw in the system’s design, where the emphasis was on verifying the sender of the message rather than the accuracy of the message itself.

David Schwed, COO of blockchain security firm SVRN, emphasized that the attack exploited the system’s configuration, rather than exploiting cryptographic vulnerabilities. The reliance on a single verifier in Kelp’s setup proved to be a significant weakness, as it removed a crucial layer of security. LayerZero has since recommended using multiple independent verifiers to approve transactions to prevent similar breaches in the future.

The repercussions of the Kelp exploit have extended beyond the protocol itself, impacting other platforms that accepted the compromised assets as collateral. This interconnected nature of DeFi systems underscores the importance of robust security measures across the entire ecosystem.

The attack on Kelp also sheds light on the disparity between the marketing of decentralization and its implementation in practice. Schwed pointed out that a single verifier does not align with the principles of decentralization, highlighting the need for a more distributed approach to security.

Urbelis emphasized that decentralization is a result of deliberate choices made in the system’s design, and weaknesses can exist in less visible layers such as data providers and infrastructure. Lazarus, the group behind the recent attacks, has shifted its focus to cross-chain and restaking infrastructure, targeting critical components of the crypto ecosystem.

As attackers continue to evolve their tactics, the industry must address known vulnerabilities and prioritize security as a non-negotiable requirement. The Kelp exploit serves as a stark reminder of the vulnerabilities present in the ecosystem and the urgent need for proactive security measures.

In conclusion, the crypto sector must remain vigilant and proactive in addressing security threats to safeguard the integrity of the industry. By learning from past breaches and implementing robust security protocols, the industry can mitigate risks and protect against future attacks.