News
13 May 2026, 14:33
$6.75 billion stolen since 2016: CertiK flags North Korea as crypto's biggest theft threat

The May 12 report by CertiK has put every crypto project and exchange on alert after the blockchain security firm pointed out the scale of the damage that North Korean hackers have masterminded since 2016. The results are in, and the picture is grim: an estimated $6.75 billion in cryptocurrency has been lost across 263 incidents. Certik’s report landed just days after TRM Labs implicated North Korean actors for about 76% of the money lost to crypto hacks through April 2026. Just as in 2025 when they hit Bybit for $1.5 billion, DPRK actors were named in the KelpDAO and Drift Protocol hacks, two of the largest exploits in 2026. DPRK hackers have become a problem for the crypto sector. Source: CertiK. Most notably, neither of the reports from the security intelligence firms implied that crypto’s most persistent and costly adversary is slowing down. North Korea’s hackers are moving with better precision, causing far more losses in fewer incidents. North Korean hackers cash bigger payouts on fewer attacks According to CertiK’s report , North Korean-linked actors were behind just 12% of total crypto theft incidents and roughly 60% of all stolen value in 2025, which came up to $2.06 billion out of $3.4 billion in total losses. 2026 has started out on the same trajectory, with North Korean groups on the hook for 55% ($620.9 million) of the losses that projects have taken this year. Counting the $285 million Drift Protocol breach on April 1 and the $292 million KelpDAO bridge exploit on April 18 alone, that’s 3% of incident count and 76% of loot stolen in 2026, according to TRM Labs. North Korea-linked hackers allegedly stole the most from crypto projects. Source: TRM Labs. North Korean actors are everywhere Both TRM Labs and Certik cautioned that a big majority of North Korea-linked exploits are not even due to software vulnerabilities. Rather, they exploit people in old-fashioned social-engineering schemes . “Most major DPRK operations begin with human manipulation, including fake job offers, VC impersonation, and malicious repositories,” CertiK stated in its report. TRM Labs reported that North Korean proxies held in-person meetings with Drift employees before the breach. Between March 23 and March 30, the attacker exploited Solana’s durable nonce feature to get Drift’s multisig signers to pre-authorize transactions. Come April 1, the protocol was drained in 31 withdrawals that took roughly 12 minutes. The $1.5 billion Bybit hack in February 2025, the largest single crypto theft ever recorded, demonstrated that “even institutional-grade multisig wallets can be compromised by targeting trusted third-party infrastructure rather than smart contracts,” according to CertiK. The FBI attributed that attack to North Korea’s TraderTraitor group. ZachXBT traced $16.58 million in direct crypto payroll payments to North Korean operatives posing as developers between January and July 2025, according to Cryptopolitan’s reporting . CertiK’s latest report echoed the concern, stating that “DPRK operatives have infiltrated DeFi teams under false identities, in some cases directly enabling the theft of funds from within.” The KelpDAO breach followed a different playbook. The attackers, TraderTraitor, a Lazarus Group-affiliated operation, exploited a single-verifier design flaw in a LayerZero bridge. After Arbitrum froze roughly $75 million of the stolen funds, the hackers pivoted to laundering through THORChain, converting stolen Ether (ETH) to Bitcoin (BTC), according to TRM Labs . Since then, LayerZero has denied and issued a public apology, as reported by Cryptopolitan. North Korean hackers follow similar exit routes CertiK reported that within one month of the Bybit hack, 86.29% of stolen ETH was converted to Bitcoin using mixers, cross-chain bridges, decentralized exchanges, and over-the-counter brokers. TRM Labs noted that THORChain processed the majority of proceeds from both the Bybit breach and the KelpDAO hack, “converting hundreds of millions in stolen ETH to Bitcoin with no operator willing to freeze or reject transfers.” U.S. intelligence assessments have indicated that funds stolen by North Korean cyber operations support the country’s nuclear and ballistic missile programs, according to CertiK. North Korea has denied involvement. A Foreign Ministry spokesperson called the allegations “absurd slander” spread by U.S. “government organs, reptile media organs and plot-breeding organizations,” according to Cryptopolitan’s May 4 report on Pyongyang’s rebuttal . If you're reading this, you’re already ahead. Stay there with our newsletter .
13 May 2026, 14:25
Telegram deletes Ethereum engineer’s account after hack

🚨 Telegram permanently deleted the account of Ethereum engineer Dominik Clemente after a hacking incident. Independent developers highlight that only large partners get prompt support in $ETH communities on Telegram. ⚡️ Key point: Loss of accounts can erase years of work and threatens trust in crypto messaging platforms. Continue Reading: Telegram deletes Ethereum engineer’s account after hack The post Telegram deletes Ethereum engineer’s account after hack appeared first on COINTURK NEWS .
13 May 2026, 13:00
What happened in crypto today: $101K DeFi hack, MARA’s $1.3B loss, and more

Ethereum developers and advocates put forth a "clear signing" initiative, while digital asset treasury companies explore active management strategies.
13 May 2026, 11:43
Kelp DAO Begins Recovering rsETH After the April Exploit

p]:pt-0 [&>p]:mb-2 [&>p]:my-0"> Kelp DAO and Aave say the rsETH crisis is ending, with the exploit-related burn on Arbitrum completed and a 117,132 rsETH refill now underway. p]:pt-0 [&>p]:mb-2 [&>p]:my-0"> The April 18 incident was a bridge-and-oracle style attack, where forged data led the system to believe rsETH had been burned when it had not. p]:pt-0 [&>p]:mb-2 [&>p]:my-0"> Kelp is hardening its security model by adding more verification parties, raising confirmation thresholds, and ending risky L2-to-L2 routes. Today, we are witnessing one of the most sophisticated recovery efforts in the history of the industry. Following a harrowing month of de-pegs and bad debt scares, Kelp DAO and Aave have officially signaled the end of the “rsETH Crisis.” As of May 13, 2026, the recovery is in full swing. The “exploit-burn” on Arbitrum is complete, the refill of 117,132 rsETH has begun, and the security architecture of the most popular liquid restaking token (LRT) has been fundamentally rebuilt from the ground up. This isn’t just a technical patch; it’s a masterclass in ecosystem resilience. The Anatomy of the “Phantom” Burn To understand the recovery, we have to look back at the chaos of April 18, 2026. This wasn’t a standard smart contract bug or a simple key leak. According to a comprehensive post-mortem by Chainalysis , Kelp DAO was the victim of a high-precision RPC poisoning attack orchestrated by the North Korean Lazarus Group. The target was the LayerZero Omnichain Fungible Token (OFT) adapter. The attackers compromised the downstream RPC nodes that the LayerZero verifiers relied on to observe the “source” chain (in this case, Uniswap’s Unichain L2). By feeding forged data to a single-verifier configuration, the attackers tricked the bridge into believing that 116,500 rsETH had been burned on Unichain, when in reality, the supply was still there. The bridge, acting on the “verified” message, released the equivalent amount of rsETH on the Ethereum mainnet directly into the hacker’s lap. This was an “observation-layer” exploit. It exposed a critical vulnerability in DeFi’s infrastructure: even a perfect smart contract is only as secure as the data feed it trusts. The fallout was immediate. The stolen rsETH was used as collateral on Aave v3 and Compound to borrow WETH, creating nearly $300 million in bad debt and causing the rsETH peg to drop as low as $2,800 while ETH traded at $3,500. Rebuilding the 117,132 rsETH Escrow The update shared by Kelp DAO today marks the transition from “damage control” to “restoration.” The recovery involves a highly coordinated movement of assets between the Aave Recovery Guardian and the Kelp DAO Recovery Safe. Over the next 14 days, a total of 117,132 rsETH will be progressively refilled into the LayerZero OFT adapter on Ethereum mainnet. This refill ensures that every single rsETH token circulating across the 20+ supported Layer 2s is once again backed 1:1 by real collateral in the mainnet escrow. ”rsETH on Mainnet and L2s remains fully backed at all times during this transition,” the team confirmed . Crucially, the first tranche of this refill to the LayerZero OFT adapter is the “green light” for users. Kelp DAO intends to unpause withdrawals within 24 hours of this initial deposit. Once the contracts are unpaused, all standard operations, including redemptions, claims, and bridging, will resume as usual. For the thousands of users who have had their capital sidelined for weeks, this is the light at the end of the tunnel. Eliminating the Hacker’s Shadow One of the most complex pieces of the recovery puzzle was dealing with the rsETH still held by the exploiter on Arbitrum . Because the attacker had posted the stolen tokens as collateral, they effectively had a “claim” on the system that threatened the recovery’s integrity. Working closely with the Arbitrum Security Council and Aave governance, the recovery coalition managed to isolate and burn the exploiter’s rsETH holdings on Arbitrum. This “surgical removal” of the illicitly minted tokens was the prerequisite for the refill. By burning the hacker’s shadow supply, the team ensured that the new ETH being injected into the system actually backs legitimate user tokens, rather than providing an exit for the Lazarus Group. The “BailSec” Audit and the Death of L2-to-L2 Routes Kelp DAO isn’t just refilling the coffers; they are building a fortress. The protocol recently completed a rigorous “security hardening pass” audited by BailSec. The goal was to eliminate the “single point of failure” that allowed the April exploit to happen. Key Infrastructure Upgrades: Quorum Expansion: Verification now requires 4 independent attestors (DVNs), moving away from the 1-of-1 configuration that previously relied solely on LayerZero Labs. Enhanced Finality: Block confirmations for cross-chain messages have been raised from 42 to 64. This significantly increases the cost and difficulty of a “chain-reorg” or a “data-withholding” attack. Route Deprecation: All L2-to-L2 bridging routes have been deprecated. All bridging activity must now move through the Ethereum L1 hub, ensuring that the “source of truth” is always the most secure chain in the ecosystem. This shift toward multi-source verification is a direct response to the RPC poisoning method used by Lazarus. By requiring consensus from four different organizations, Kelp DAO has ensured that an attacker would need to compromise the infrastructure of multiple independent firms simultaneously—a feat that is orders of magnitude more difficult than attacking a single node The Pivot to Chainlink CCIP Perhaps the most significant long-term development is Kelp DAO’s decision to migrate away from LayerZero and toward Chainlink CCIP . This move reflects a growing rift between Kelp and LayerZero regarding responsibility for the April 18 incident. While LayerZero maintains that the exploit was the result of Kelp’s “misconfigured” 1-of-1 DVN setup, Kelp DAO argues that the default settings and lack of timely infrastructure warnings were the root cause. By choosing Chainlink’s Cross-Chain Interoperability Protocol (CCIP), Kelp DAO is opting for a model that requires consensus from 16 independent node operators. The move to the Chainlink Cross-Chain Token (CCT) standard is expected to be completed in the coming months. This transition marks a broader industry trend in 2026: as cross-chain volumes surge, “convenience” is being sacrificed for “verifiable security.” Kelp DAO Hack Shows DeFi Stands United The recovery of Kelp DAO’s rsETH is a testament to the maturation of the decentralized financial system. A year ago, a $292 million exploit might have triggered a catastrophic contagion that wiped out secondary lending markets. In 2026, we saw Aave, Mantle, and DeFi United step in within hours to form a “Recovery Guardian” coalition. From Stani Kulechov’s personal 5,000 ETH pledge to the Arbitrum governance vote that paved the way for the exploiter’s burn, the recovery proves that “community” is more than just a buzzword in DeFi—it is a defensive layer. As withdrawals unpause and rsETH operations return to normal, the takeaway for the rest of the market is clear: Infrastructure is the new battleground. In the Alpenglow and CCIP era, the protocols that survive won’t be the ones that ignore risk, but the ones that build systems resilient enough to recover from it.
13 May 2026, 11:30
Ether Withdrawals to Resume Following KelpDAO and Aave’s Coordinated Token Burn

Ether withdrawals are expected to resume within 24 hours for KelpDAO users after a coordinated burn of the attacker’s rsETH tokens on Arbitrum successfully neutralized the exploit’s impact. MORE THAN AN EXPLOIT The rsETH bridge lockbox on Arbitrum is being refilled, and ether withdrawals for users affected by the KelpDAO exploit are expected to start
13 May 2026, 11:05
Aave Liquidity Rebounds to Healthy Levels After $10 Billion Outflow

BitcoinWorld Aave Liquidity Rebounds to Healthy Levels After $10 Billion Outflow Liquidity on the decentralized lending protocol Aave has returned to normal operating levels following a significant deposit outflow triggered by last month’s security incident involving the ETH staking protocol KelpDAO and its rsETH token. On-chain analytics firm Sealaunch Intelligence reported that the protocol’s core market has stabilized, with WETH liquidity now standing at approximately $448.61 million, while USDT and USDC reserves are each hovering around the $400 million mark. Stabilization After the rsETH Incident The recovery marks a notable turnaround for Aave, which experienced a roughly $10 billion exodus of deposits in the wake of the KelpDAO rsETH hack. The incident, which rattled confidence across the decentralized finance (DeFi) ecosystem, led to a sharp withdrawal of funds as users moved to mitigate potential exposure. Sealaunch’s data indicates that utilization rates for Aave’s three largest markets — WETH, USDT, and USDC — are now moving within a narrow range of 89% to 92%, a sign that borrowing and lending activity is returning to equilibrium. Broader Recovery Across Markets Beyond the major stablecoins and ether, Sealaunch noted that liquidity for other significant cryptocurrencies on the platform has also recovered to healthy levels. This broad-based normalization suggests that the initial panic-driven outflows have subsided and that user confidence in Aave’s risk management and response protocols is gradually being restored. First Phase of Technical Recovery Complete Aave, which has taken a leading role in the industry-wide ‘DeFi United’ initiative aimed at coordinating security responses across protocols, announced yesterday that it had successfully completed the first phase of technical recovery related to the rsETH hack. While the firm did not provide exhaustive details on the measures taken, the completion of this phase is a critical step in fully restoring normal operations and trust among liquidity providers and borrowers alike. Why This Matters for DeFi Users For participants in the Aave ecosystem, the return to normal liquidity levels means that borrowing rates and lending yields are likely to stabilize. During periods of extreme outflow, liquidity pools can become imbalanced, leading to volatile interest rates and reduced capital efficiency. With reserves replenished and utilization rates back in the 90% range, the protocol can once again function as a reliable source of on-chain credit. Conclusion Aave’s swift recovery from a $10 billion liquidity shock demonstrates the resilience of well-designed DeFi protocols and the importance of coordinated security responses. While the rsETH hack served as a stress test for the broader ecosystem, the data from Sealaunch Intelligence suggests that Aave’s core markets are now operating under normal conditions, with liquidity providers and borrowers returning to the platform. FAQs Q1: What caused the $10 billion outflow from Aave? The outflow was triggered by a security incident involving KelpDAO’s rsETH token, which led to a hack on the ETH staking protocol. In response, many Aave users withdrew deposits as a precautionary measure to reduce potential exposure. Q2: How long did it take for Aave’s liquidity to recover? The recovery occurred over approximately one month. Sealaunch Intelligence reported that liquidity for WETH, USDT, and USDC has now returned to normal levels, with utilization rates stabilizing between 89% and 92%. Q3: What is the ‘DeFi United’ initiative? DeFi United is a collaborative industry initiative aimed at improving security coordination and incident response across decentralized finance protocols. Aave has been a leading participant in this effort, which focuses on protecting users and maintaining ecosystem stability during security events. This post Aave Liquidity Rebounds to Healthy Levels After $10 Billion Outflow first appeared on BitcoinWorld .









































