North Korea-linked crypto heists and Cambodia scam network

Blockchain intelligence firm TRM Labs reported that two crypto heists in April totaled about $577 million and that North Korea-linked groups account for roughly 76% of crypto hack losses this year. TRM Labs said North Korean actors have stolen more than $6 billion in cryptocurrency since 2017 and are carrying out fewer but more sophisticated attacks.

On April 1, Drift Protocol lost about $285 million after attackers obtained pre-approval for 31 withdrawals from two of Drift’s five Security Council signers between March 23 and March 30, 2026. The attackers used Solana’s “durable nonce” feature to have signed transactions execute at a later time. A prior configuration change removed a timelock from the Security Council, allowing approved actions to take effect immediately. The exploit took about 12 minutes. The stolen funds now appear dormant on the Ethereum network.

On April 18, KelpDAO suffered an exploit that resulted in about $292 million stolen. U.S. and industry analysts attributed the attack to the Lazarus Group unit known as “TraderTraitor.” Investigators say attackers compromised internal RPC nodes and launched a distributed denial-of-service attack to manipulate a single-verifier bridge, creating a shortfall for Aave that was initially estimated as roughly $195 million in bad debt. Borrowing rates for Tether on Aave rose to 14%, the highest since December 2024. More than $13 billion in deposits left major lending platforms within 48 hours and Aave reported $8.54 billion in deposits lost over the period.

TRM Labs reported that laundering after large thefts is often handled by intermediaries in China, with funds routed through mixing services, gambling sites and intermediary accounts before reaching final destinations.

Separately, the U.S. Treasury’s Office of Foreign Assets Control designated Cambodian Senator Kok An and 28 associated individuals and entities under Executive Order 13694. The Treasury alleged Kok An controls Crown Resorts and Anco Brothers, which own casinos and properties in Sihanoukville and Poipet that have been used as scam compounds. The designation names Brilliancy Sihanoukville Investment (Bolai) as operating the scam network and laundering proceeds through gambling websites and other channels, including transfers to U.S.-based cells.

The U.S. Secret Service traced about $1.3 million from American victims directly to bank accounts tied to Bolai’s founder, Luo Hong, according to Treasury statements. The sanctions freeze any U.S. assets of the designated parties and generally bar U.S. persons from dealing with them.

Cambodia previously extradited businessman Chen Zhi to China after a U.S. indictment related to forced-labor scam compounds. U.S. authorities said they seized about $15 billion in Bitcoin linked to him and the National Bank of Cambodia later placed Prince Bank under liquidation.

U.S. law enforcement agencies and private blockchain investigators are responding to the thefts and scam network actions with sanctions, account freezes and fund-tracing efforts across blockchains and intermediary accounts to recover assets and disrupt the networks involved.