Is North Korea Running an AI That Automatically Hacks DeFi? April's $625M Record Says the Theory Isn't Crazy
A developer just floated the theory that North Korea trained an AI model to autonomously hack DeFi protocols — and after 30 exploits and $625 million drained in a single month, nobody’s laughing.
April 2026 is now officially the most-hacked month in crypto history. Not by a little. Thirty separate protocols compromised. Nearly one attack per day. $625 million out the door. And North Korea — operating through at least two distinct state-sponsored groups — was responsible for 76% of all stolen value, using just two mega-attacks.
Then, on April 30, Wasabi Protocol got hit for $5.5 million across four chains simultaneously. Same admin key playbook. Same no-timelock vulnerability. Same surgical speed. And developer Vitto Rivabella posted a theory that broke crypto Twitter: North Korea built an in-house AI trained on years of stolen DeFi data, and it’s now running autonomous exploit scripts faster than human auditors can patch them.
It’s unconfirmed. But the evidence is uncomfortable.
What Happened to Wasabi Protocol
Wasabi Protocol is a perpetuals trading platform deployed on Ethereum, Base, Berachain, and Blast. On April 30, an attacker compromised its deployer admin key — the single key with full control over all protocol vaults — and used it to:
- Call
grantRole()on the permissions contract with zero delay - Upgrade Wasabi’s perp vaults and
LongPoolto malicious implementations via UUPS proxy - Drain funds from all pools across all four chains simultaneously
Total losses: between $4.5M and $5.5M depending on the source, with security firm Blockaid flagging the exploit live as it happened. Berachain’s team issued an urgent “Withdraw Now” advisory to all Wasabi liquidity providers still on the network.
The critical flaw? Wasabi had no timelock and no multisig protecting the admin role. One key. Full control. No delay. Zero resistance to a compromised deployer wallet.
The North Korea AI Theory
Security researcher and developer Vitto Rivabella published a thread in the wake of the Wasabi exploit that’s been circulating across crypto security circles. The claim: North Korea’s hacking units trained a bespoke AI model on years of accumulated DeFi data — including every exploit they’ve conducted, every smart contract vulnerability they’ve encountered, and the full on-chain history of protocols they’ve targeted.
The theory holds that this model now operates semi-autonomously: scanning deployed contracts for known vulnerability patterns (single admin keys, missing timelocks, upgradeable proxies with no delay), generating attack calldata, and executing drains faster than any human review process can catch.
Evidence supporting the theory:
- Pattern replication at scale: The Wasabi, Drift, and KelpDAO exploits used near-identical attack vectors despite targeting different protocols on different chains
- Execution speed: The Drift Protocol drain — $285M across Solana — was completed in approximately 12 minutes after months of social engineering prep
- Volume: 30 DeFi exploits in a single calendar month is not a human bandwidth problem — it’s a throughput problem
- Precision: Each attack targeted the same centralized control layer (admin key, single oracle, single verifier) with no wasted moves
Rivabella’s theory remains unconfirmed speculation. No security firm or government agency has publicly attributed the Wasabi exploit to North Korea specifically. But TRM Labs confirmed this week that North Korean actors stole $577 million in 2026 YTD — 76% of all crypto hack value — pushing their cumulative haul since 2017 above $6 billion.
The April Scoreboard
| Date | Protocol | Amount | Vector |
|---|---|---|---|
| Apr 1 | Drift Protocol | $285M | Admin key + social engineering (DPRK) |
| Apr 18 | KelpDAO | ~$293M | Single-verifier LayerZero bridge flaw (DPRK) |
| Apr 30 | Wasabi Protocol | $5.5M | Admin key, no timelock/multisig |
| Other | 27 additional protocols | ~$42M | Various |
| Total | 30 incidents | $625M+ |
April averaged nearly one successful exploit per day. Previous records rarely exceeded 12–15 incidents in a full month.
The Systemic Problem
Every major April exploit shared a common design failure: centralized control points with no safeguards.
A single admin key. A single oracle. A single bridge verifier. One compromised credential — through phishing, insider threat, or social engineering — and the entire protocol is drained in minutes.
The security industry has known about this for years. Timelocks, multisig requirements, and DAO-controlled upgrade processes exist precisely to prevent this. Wasabi had none of them. Neither did Drift. Neither did KelpDAO — or at least not adequate ones.
The uncomfortable conclusion: North Korea’s hackers (AI-assisted or not) aren’t finding exotic zero-days. They’re exploiting basic security hygiene failures that protocols still aren’t fixing.
Why This Matters for Crypto Jobs
April’s carnage is reshaping the demand side of the crypto job market in real time. Here’s where hiring is accelerating:
Smart Contract Security — Audit firms are inundated. Protocols that survived April are scrambling to retrofit timelocks, multisig, and formal verification. Security engineers with Solidity/EVM audit experience are commanding $200K+ packages.
Protocol Security Architecture — Roles focused on designing access control systems, upgrade mechanisms, and bridge security are newly critical. Being able to spec a secure UUPS upgrade path or a Gnosis Safe governance structure is now a near-mandatory skill for senior protocol engineers.
Blockchain Forensics / Incident Response — On-chain attribution work (tracking stolen funds through THORChain, bridges, and mixers) has exploded as a field. TRM Labs, Chainalysis, Elliptic, and Blockaid are all hiring.
DeFi Risk / Security Research — Funds with DeFi exposure (hedge funds, VCs, treasury managers) are building internal security research teams. Roles that didn’t exist 18 months ago are becoming standard headcount.
If you’re a developer who understands access control, proxy patterns, or bridge security — April just made your skills significantly more valuable.
The Bottom Line
Thirty hacks. $625 million. One month. North Korea behind most of it.
Whether or not an AI is autonomously scanning and draining DeFi protocols, the structural vulnerability is the same: too many protocols, too little security infrastructure, and control points that are one phishing email away from total compromise.
The industry keeps building faster than it secures. Until that changes, April will just be a preview.
Looking to move into crypto security or land a role at a protocol that’s actually fixing this? Browse DeFi security, smart contract audit, and blockchain forensics jobs at Cryptogrind — the job board built for crypto builders.
