At least 12 decentralized finance protocols and crypto companies have been attacked in the two weeks since the $280 million exploit of Drift Protocol, fueling concerns that a coordinated wave of breaches, many with links to North Korean state-sponsored groups, is sweeping the sector.
The targets since early April include CoW Swap, Hyperbridge, Bybit, Dango, Silo Finance, BSC TMM, Aethir, MONA, Zerion, and, most recently, Rhea Finance and Russia-linked exchange Grinex, according to reporting from Cointelegraph.
Rhea Finance and Grinex Join The List of Victims
Rhea Finance confirmed on Thursday that an attacker “leveraged a vulnerability in Rhea’s Margin Trading feature to execute a coordinated pool manipulation attack,” targeting its Rhea Lend smart contract. Blockchain security firm CertiK said roughly $7.6 million was extracted.
“The attacker created fake token contracts and added liquidity in fresh pools, likely misleading the oracle and validation layer,” CertiK explained. Separately, the Russia-linked Grinex exchange suspended operations after a $13.7 million incursion, blaming “unfriendly states” for the breach.
Earlier in the month, the Binance Smart Chain TMM/USDT liquidity pool lost roughly $1.67 million in a reserve manipulation attack, while bridge aggregator Dango lost $410,000 to a smart contract bug on April 13.
Silo Finance suffered a $392,000 loss on April 3 due to a misconfigured Oracle exploit, and decentralized GPU computing platform Aethir reported a $423,000 access-control exploit on April 9.
DPRK Pivots to AI-Enhanced Social Engineering
The attacks follow the April 1 Drift Protocol exploit, which investigators say began as a roughly six-month social engineering operation in which individuals posed as a quantitative trading firm.
Blockchain analytics company Elliptic attributed the incident to the Democratic People’s Republic of Korea, describing it as part of a sustained campaign of cryptoasset theft linked to the country’s weapons programs.
The Drift Protocol and Zerion wallet exploits were highlighted by researchers as examples of DPRK-affiliated groups combining AI tools and social engineering to infiltrate crypto companies and harvest credentials.
According to DefiLlama, attackers extracted more than $168.6 million from 34 DeFi protocols in the first quarter of 2026 alone. Elliptic has identified 18 DPRK-linked acts this year, with more than $300 million stolen so far, extending a pattern in which DPRK-linked actors have siphoned over $6.5 billion in cryptoassets in recent years.
Drift Rescue Takes Shape as USDT Replaces USDC
Drift itself is rebuilding. The protocol announced this week a proposed funding package of up to $147.5 million from Tether and partners and plans to relaunch with USDT replacing USDC as its core settlement layer.
The funding is structured to repay about $295 million in user losses over time, but industry analysts generally agree that the infiltration playbook behind the original attack is now being deployed more widely.
