AI-driven cryptocurrency hacks siphon off $600 million from DeFi as North Korea takes advantage of the increase.

      **Summary**: In April, two hacks linked to North Korea siphoned nearly $600 million from Drift Protocol ($285 million) and Kelp DAO ($292 million). Cybersecurity experts suspect the assailants utilized AI to target and engineer exploits. The Kelp DAO breach resulted in a $9 billion withdrawal from Aave within two days, highlighting the vulnerabilities in decentralized finance (DeFi).

      The two incidents occurred slightly more than two weeks apart. On April 1, roughly $285 million was drained from Drift Protocol, a Solana-based derivatives exchange, after attackers impersonated a quantitative trading firm to deceive employees into approving harmful transactions. Then, on April 18, another group exploited a flaw in Kelp DAO’s cross-chain bridge, extracting about $292 million in wrapped ether. Together, these hacks constituted almost $600 million and represented 76% of all crypto hack losses in 2026 so far, according to the blockchain forensics firm TRM Labs.

      Both attacks are thought to be the work of groups associated with North Korea, as reported by Bloomberg. However, what concerned cybersecurity experts most was the tactic employed. Nick Carlsen, a TRM investigator and former FBI analyst with expertise in North Korean crypto crime, indicated that the sophistication of these April hacks strongly suggests the attackers used artificial intelligence for target selection and exploit development. “This is all something North Korea never used to do,” he noted.

      **The Contagion Effect**: The Drift hack was catastrophic for the platform. The attackers created a fake token, constructed a fictitious trading history to make it appear genuine, and used it as collateral to quickly extract real assets, achieving this within approximately 12 minutes. Drift’s total value locked plummeted from $550 million to below $300 million in just an hour. The exchange has since halted operations and is planning a relaunch after obtaining a $148 million rescue package led by the stablecoin issuer Tether. A smaller DeFi project, Carrot, which had utilized Drift’s vaults for user funds, announced on April 30 that it would cease operations entirely.

      The impact of the Kelp DAO hack was significant in a different manner. Instead of immediately liquidating the stolen assets, the attackers placed roughly $200 million of the proceeds as collateral on Aave, the leading decentralized lending protocol. This caused a loss of confidence: depositors, concerned that the collateral supporting Aave could be worthless, withdrew about $9 billion from the platform in just two days. The overall value locked across all DeFi lending protocols fell by over $13 billion within 48 hours. Aave ultimately required a rescue as well.

      This sequence of events highlighted a structural weakness that sets decentralized finance apart from traditional banking systems. Transactions on blockchains cannot be reversed, and there is no central authority to halt suspicious transfers. Furthermore, the interconnected nature of DeFi protocols means that one platform’s collateral can become another’s liability, allowing a single exploit to reverberate through an ecosystem worth approximately $130 billion in locked assets.

      **The AI Accelerant**: Assessing whether hackers employed AI is not an exact science. Investigators base their analyses on the complexity of an attack, the techniques used, and how quickly targets were identified. Over half a dozen cybersecurity researchers interviewed by Bloomberg indicated that the dramatic increase in DeFi exploits—April recorded 28 to 30 incidents, nearly doubling the previous peak—suggests that attackers are utilizing readily available AI models.

      “With AI, vulnerability detection costs are approaching zero,” stated Aneirin Flynn, CEO of security audit firm Failsafe. He noted that the time taken for hackers to find weaknesses in a blockchain protocol has been reduced from months to days or even hours.

      Research from Anthropic supports this claim. A study published in December revealed that more than half of blockchain exploits executed in 2025 “could have been carried out autonomously” using AI agents. The researchers noted that what they termed “potential exploit revenue” has doubled every 1.3 months, and the average cost of scanning a smart contract for vulnerabilities has decreased to $1.22. Additionally, a test conducted by engineers at a16z, the largest crypto venture capital firm, found that an AI trained on previous DeFi hacks consistently identified vulnerabilities in a given protocol, although it still required human assistance to design a profitable exploit fully.

      **The Mythos Question**: The industry is overshadowed by Anthropic’s Mythos, an AI model that the company has not released widely due to its cybersecurity capabilities. During testing, Mythos autonomously identified thousands of previously unknown zero-day vulnerabilities across major operating systems and web browsers, including an issue in OpenBSD that had escaped detection for 27 years. Anthropic opted to limit access to a select few major technology companies and banks through what it refers to as Project Glasswing, instead of a public release.

      There is no evidence that the April hackers accessed Mythos. Nonetheless, the model’s existence raises broader