387 reports
Security Alliance reports that DPRK-linked actors stole 116,500 rsETH on April 18, 2026 by fraudulently triggering an attestation from the LayerZero DVN configured as the sole validator for the Kelp DAO OApp. Kelp blocked the attacker within about an hour…
Kelp says rsETH was drained on April 18 through a forged cross-chain message after two LayerZero-hosted RPC nodes were compromised and a third RPC node was hit by a simultaneous DDoS attack. The statement frames the incident as an attack on LayerZero infr…
CISA warns that compromised Axios npm releases [email protected] and [email protected] injected the malicious dependency [email protected] into developer environments. The dependency downloads multi-stage payloads from actor-controlled infrastructure, including…
NoxHunt uses infostealer telemetry and ZachXBT’s prior findings to examine compromised systems tied to suspected DPRK overseas IT worker operations. The activity centers on fraudulent remote development work supported by VPN obfuscation, fake identities a…
KelpDAO’s April 18, 2026 exploit involved about $290 million in losses and is described as likely attributable to DPRK’s Lazarus Group, specifically TraderTraitor. The incident was isolated to KelpDAO’s rsETH configuration because it used a 1-of-1 LayerZe…
Web3Firewall analyzes the reported 2026 KelpDAO exploit as a cross-chain DeFi infrastructure incident affecting rsETH bridge operations rather than a simple standalone smart-contract bug or phishing case. The article says the attack caused roughly $290–29…
FalconFeeds summarizes UNC1069 as a financially motivated North Korean actor linked to the Reconnaissance General Bureau and active in cryptocurrency and developer-supply-chain targeting. The February 2026 intrusion described in the excerpt began with a h…
Axios maintainer access was compromised to publish malicious [email protected] and [email protected] releases that added the typosquatted dependency [email protected] without changing the main Axios source. The malicious dependency used a postinstall hook to ru…
Breakglass Intelligence maps a large Kimsuky credential-harvesting operation targeting South Korean users through Naver, National Tax Service, NHIS, NongHyup, National Pension Service, and Kakao impersonation themes. The investigation consolidates six inf…
The excerpt traces a confirmed DPRK IT worker using the GitHub identity icetrust0212 to primary development work on Verida Network’s proof-connector-dapp, which verifies zkPass proofs and issues Verida credentials for exchange KYC status. The author links…
An investigation maps a cluster of 14 or more DPRK-linked IT worker accounts that allegedly infiltrated Tokamak Network and contributed heavily to bridge, NFT marketplace, subgraph, and landing-page repositories. The excerpt identifies primary actor "jusd…
A thread links the fake identity "Taro Aikuchi" to a DPRK IT worker cluster labeled "215" through repeated numeric markers across GitHub handles, email addresses, commit metadata, and aliases. The excerpt connects 0xbomb215, xsen215, highgoal215, and rela…
South Korean authorities warn that Midnight and Endpoint ransomware infections have been observed against domestic SMEs, especially manufacturers, with additional cases in retail, energy, and public-sector environments. The attackers first compromise IT s…
Trend Micro’s 2025 APT report frames North Korea as an “Asymmetric Saboteur” using AI to automate cybercrime and support state priorities such as missile funding. The DPRK-relevant section is strategic rather than IOC-driven, emphasizing AI-assisted recon…
KrCERT and the Korean National Police Agency warn that Midnight, also called Endpoint, ransomware incidents against South Korean small and medium-sized businesses are increasing through malicious email campaigns. The advisory says attackers use lures disg…