LND attributed its May 9, 2025 breach to a developer it unknowingly hired who later proved to be an undercover DPRK IT worker. The attacker gained access to administrative keys and drained about $1.27 million through unauthorized transactions, prompting LND to shut down the frontend and work with ZachXBT, SEAL, MetaMask, and UniSat on containment and user warnings. The post-mortem says the stolen funds were bridged across multiple networks and that investigators submitted reports to law enforcement and exchanges to support freezing and recovery. Technical analysis found modified AToken and VariableDebtToken contracts that expanded onlyPool access to Pool Admin addresses, allowing the attacker to drain pools through transferUnderlyingTo calls.