North Korean-linked operators were tied to two major April 2026 DeFi thefts and a software supply-chain compromise. Drift Protocol lost about $280 million after attackers spent months posing as a legitimate trading firm, obtained pre-signed multisig approvals, and abused Solana durable nonce behavior to seize Security Council control. KelpDAO lost roughly $290 million in rsETH after Lazarus Group’s TraderTraitor cluster allegedly compromised LayerZero verification infrastructure through RPC-node poisoning and DDoS. UNC1069 also compromised Axios npm publishing credentials via a fake company and staged Microsoft Teams call, publishing malicious Axios versions that installed a cross-platform RAT through plain-crypto-js.