AI-driven cryptocurrency hacks deplete $600 million from DeFi as North Korea capitalizes on the increase.

      **Summary**: Two hacks associated with North Korea in April resulted in the theft of nearly $600 million from DeFi protocols Drift Protocol ($285 million) and Kelp DAO ($292 million). Cybersecurity experts suspect the attackers employed AI to choose targets and create exploits. The Kelp DAO breach led to $9 billion being withdrawn from Aave within two days, highlighting the fragility of DeFi systems.

      The hacks occurred a little over two weeks apart. On April 1, attackers siphoned off around $285 million from Drift Protocol, a derivatives exchange on Solana, after pretending to be a quantitative trading firm and misleading employees into approving harmful transactions. On April 18, a different group took advantage of a flaw in Kelp DAO’s cross-chain bridge, extracting roughly $292 million in wrapped ether. Together, these incidents made up nearly $600 million in losses, representing 76% of total crypto theft losses in 2026 so far, according to TRM Labs.

      According to Bloomberg, both incidents are attributed to groups linked to North Korea. However, researchers are more concerned about the techniques used rather than the amounts stolen. Nick Carlsen, a TRM investigator and former FBI analyst with expertise in North Korean cybercrime, noted that the complexity of these April hacks indicates the potential use of AI for targeting and exploit design, stating that this marks a shift in North Korea's hacking methodologies.

      **Contagion Effect**

      The Drift hack severely affected the platform. The attackers created a fake token, fabricated an inflated trading history to gain credibility, and used it as collateral to extract actual assets in about 12 minutes. The total value locked in Drift plummeted from $550 million to below $300 million within an hour, forcing the exchange to suspend operations and plan a relaunch with a $148 million rescue package from stablecoin issuer Tether. Another smaller DeFi project, Carrot, which had used Drift-associated vaults, announced on April 30 that it would completely close.

      The Kelp DAO breach was damaging in a different way. Instead of cashing out immediately, the assailants used about $200 million of the stolen funds as collateral on Aave, the largest decentralized lending protocol. This created a crisis of trust, leading depositors to withdraw approximately $9 billion from Aave over two days, resulting in a total loss of over $13 billion across all DeFi lending protocols within 48 hours. Aave also ended up requiring a bailout.

      The incidents highlighted a fundamental weakness in decentralized finance compared to traditional banking: blockchain transactions are irreversible, and there’s no central authority to halt dubious transfers. Furthermore, the interconnected nature of DeFi protocols means that a single vulnerability can trigger widespread issues in an ecosystem worth around $130 billion in locked assets.

      **The AI Factor**

      Identifying the use of AI by hackers isn't straightforward. Investigators infer it from the attack's complexity, methods used, and the speed of target selection. More than half a dozen cybersecurity experts told Bloomberg that the sharp increase in DeFi attacks — with April seeing a record 28 to 30 incidents, nearly double the previous high — suggests that attackers are utilizing widely accessible AI models.

      Aneirin Flynn, CEO of security audit firm Failsafe, remarked that AI has lowered the cost of detecting vulnerabilities significantly. The time hackers need to pinpoint weaknesses in blockchain protocols has dropped from months to just days or even hours.

      Supporting this idea, a study released by Anthropic in December indicated that over half of blockchain exploits in 2025 “could have been conducted autonomously” using AI. The study showed that the "potential exploit revenue" doubled every 1.3 months, and the average cost of scanning a smart contract for vulnerabilities had decreased to $1.22. Additionally, a trial by engineers at a16z, a prominent crypto venture capital firm, found that an AI trained on past DeFi hacks consistently identified vulnerabilities in protocols, though it still required human input to develop a profitable exploit.

      **The Mythos Dilemma**

      A looming concern in the industry is Anthropic's Mythos, an AI model withheld from broad release due to its cybersecurity capabilities. In tests, Mythos identified thousands of previously unknown vulnerabilities across several major operating systems and web browsers, including a flaw in OpenBSD that had gone overlooked for 27 years. Anthropic opted to restrict access to a select few major technology firms and banks through what they term Project Glasswing instead of making it publicly available.

      There is no proof that the hackers in April used Mythos. Nonetheless, the model's existence raises broader concerns: if current publicly available AI tools can already enhance the execution of crypto hacks to such an extent, what might happen when more advanced models, like Mythos or its successors, become available or are replicated? In November, Anthropic revealed that attackers had manipulated its Claude model to target around 30 organizations, including tech companies, financial institutions, and government agencies, achieving success in