Emerging ThreatsMalware & Ransomware

Lazarus Hackers Orchestrate $290 Million KelpDAO Heist

Analyst 207||Source: BleepingComputer
Shadowy figure in hoodie surrounded by cryptic symbols and a dead plant, with a laptop glow, set against a dusk cityscape.

Who benefits when $290 million vanishes from a decentralized finance project over a single weekend — and who is left to pick up the pieces?

The heist in brief

Security reporting identifies a likely state-sponsored operation behind a mass theft that siphoned roughly $290 million from the KelpDAO decentralized finance (DeFi) project on Saturday. The incident has been tied to North Korean-backed actors commonly referred to as the Lazarus hackers.

Attribution and its weight

Attribution in cyber incidents changes how observers interpret motive, method and response. In this case, reporting that points toward state-sponsored North Korean hackers — and explicitly ties the theft to Lazarus — frames the event less as a criminal exploit and more as an operation with potential geopolitical dimensions. That framing raises different expectations for investigation, recovery and public messaging than a purely criminal marketplace raid would.

Why this matters to different audiences

  • Technologists: A theft of this scale, tied to actors described as state-sponsored, underscores the security consequences for DeFi protocols and the ecosystems that rely on them.
  • Policymakers: Attribution to a nation-linked group shifts considerations about regulatory, diplomatic and law-enforcement levers available to respond or deter similar events.
  • Users and investors: For people and organizations with exposure to KelpDAO or similar projects, a high-dollar loss concentrated in one event raises questions about risk management, transparency and systemic vulnerability in DeFi.
  • Adversaries: Public linking of a major heist to a named group may influence operational trade-offs for both state and nonstate actors who weigh the benefits of targeting digital financial infrastructure.

Questions that remain and the road ahead

The core reported facts are stark: approximately $290 million taken from KelpDAO on Saturday, with reporting tying the operation to state-sponsored North Korean hackers associated with the Lazarus name. Beyond those facts lie open questions about recovery, accountability and lasting consequences for decentralized finance. How will the ecosystem respond — and what safeguards will emerge — now that such a high-profile loss has been publicly attributed?

Read the original story

DefiEmerging ThreatsNation-StateNorth KoreaCryptocurrency HeistState-SponsoredLazarusDecentralized FinanceKelpdao$290 Million Heist
Related Intelligence

Continue Reading

Server room with networked equipment and a single server in the foreground.

Hackers Actively Exploit SolarWinds Serv-U Flaw to Crash Servers

SolarWinds has issued an emergency hotfix to address a critical flaw in its Serv-U file transfer product, which hackers are actively exploiting to crash servers with specially crafted POST requests. A denial-of-service vulnerability, tracked as CVE-2026-28318, can be triggered without authentication, posing a significant threat to users.

Analyst 207
Dimly lit software development workspace with laptop, notes, and coffee cups.

Malware Worms Infect npm Ecosystem in Dual Supply Chain Attacks

Meet IronWorm, a sneaky Rust-based malware that's infecting the npm ecosystem by scraping sensitive secrets from developers' machines and spreading through poisoned packages. This stealthy threat hides behind an eBPF kernel rootkit and communicates with its operators over Tor.

Analyst 207
Rows of equipment racks and patch panels in a brightly-lit office network closet.

Chinese APT Exploits New Malware to Prolong Network Access

A Chinese-linked espionage group, tracked as UNC5221 or VerdantBamboo, exploited new malware to secretly maintain access to US networks for over 18 months, evading detection by blending in with legitimate traffic. The attackers used a sophisticated backdoor called Brickstorm to prolong their stay undetected.

Analyst 207
Network router in a dimly lit server room setting.

Cisco SD-WAN Zero-Day Under Active Attack

Cisco SD-WAN is under siege from a zero-day vulnerability that's being actively exploited - and there's no patch in sight, leaving sys admins scrambling to protect their networks.

Analyst 207