North Korea's Lazarus Group drained $577 million from two DeFi protocols in just 18 days. This OSINT investigation follows the money — from social-engineered admin keys on Drift Protocol to a $292M LayerZero bridge exploit on Kelp DAO, through THORChain mixers and chain-hopping laundering trails.
Built entirely from primary sources: Chainalysis 2026 flashscore Crypto Crime Report, TRM Labs DPRK analysis, FBI/CISA joint advisories, Halborn post-mortem, on-chain TVL data from DefiLlama, and verified reporting from Bloomberg, CoinDesk, Yahoo Finance, and Unchained Crypto.
No speculation. No filler. Every figure cited.
follow us on instagram - @thevisibletip
CHAPTERS
00:00 Cold Open — Two Protocols, One Enemy
00:40 The Stakes — Why DeFi Bridges Matter
01:15 Drift Protocol Heist — sndk stock $285M, April 1
02:48 Kelp DAO Heist — $292M, April 18
04:08 Contagion — $13.29B TVL Wipeout
04:53 The Laundering Trail — Chain-Hop to Cash-Out
05:20 Financial Cold War — Sanctions vs. Smart wigan today Contracts
06:24 Industry Response — Multi-DVN, Audits, Silence
06:39 The Fix — What LayerZero Changed
07:52 Closer — $6B+ Since 2017, This Was One Chapter
KEY FIGURES
- Drift Protocol: $285M drained April 1, 2026 (Bloomberg, Chainalysis)
- Kelp DAO: $292M drained April 18, 2026 (CoinDesk, Halborn)
- Combined Loss: $577M (TRM Labs, verified figure)
- Sector TVL Drop: $13.29B (DefiLlama)
- Laundering Path: $80M ETH through THORChain (Yahoo Finance)
- Aave Outflows: $6B during contagion window (CoinDesk)
- Total Withdrawn from DeFi: $8.45B (CoinDesk)
- DPRK Cumulative Theft Since 2017: $6B+ (Elliptic, Wilson Center, FBI)
- DPRK Share of 2026 Crypto Hack Value: 76% (TRM Labs)
The question isn't whether multi-DVN works. It's why every bridge isn't using it yet.
▼ Drop your answer in the comments.
--------------------------------------------------------------------------------
SOURCE CITATIONS
--------------------------------------------------------------------------------
- Chainalysis 2026 Crypto Crime Report (Drift attribution, social engineering quote)
- TRM Labs DPRK Analysis Q2 2026 ($577M combined figure, 76% share statistic)
- FBI IC3 / CISA Joint Cybersecurity Advisory (Lazarus attribution)
- Bloomberg ($285M Drift figure, April 1 2026 timing)
- CoinDesk ($292M Kelp, $71M Arbitrum freeze, 20-chain spread, $6B Aave outflow, $8.45B withdrawn)
- Halborn Security (Kelp DAO post-mortem, 116,500 rsETH burned)
- Yahoo Finance ($80M ETH routed through THORChain)
- LayerZero Official Incident Statement (Multi-DVN policy change)
- Unchained Crypto (Drift post-mortem, April 6 disclosure timing)
- Blockaid DVN Security Audit (GitHub, public)
- DefiLlama ($13.29B sector TVL drop, on-chain data)
- Elliptic / Wilson Center / FBI ($6B+ cumulative DPRK theft since 2017)
- Chainalysis verbatim expert quote on Drift social engineering vector
All claims traceable to public reporting or on-chain data. No anonymous sources, no speculation.
--------------------------------------------------------------------------------
TAGS (15-20)
--------------------------------------------------------------------------------
crypto hack, DeFi, Lazarus Group, North Korea, DPRK, Drift Protocol, Kelp DAO, LayerZero, multi-DVN, blockchain security, OSINT, cyber crime, bridge exploit, crypto investigation, Chainalysis, TRM Labs, THORChain, crypto laundering, rsETH, DeFi security
--------------------------------------------------------------------------------
PUBLISHING NOTES
--------------------------------------------------------------------------------
- Category: Science & Technology (or News & Politics as alternate)
- Language: English
- Audience: Not made for kids
- Visibility: Public
- License: Standard YouTube License
- Allow embedding: Yes
- Allow comments: Yes (this is a question-close video — comments are the engagement loop)
- Notify subscribers: Yes
- End screen: Link to next investigation (TBD) + subscribe CTA
- Cards: Pin "Multi-DVN saved $577M. So why isn't every bridge using it?" comment
================================================================================
