ZeroFox Daily Intelligence Brief - April 21, 2026

ZeroFox Daily Intelligence Brief - April 21, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• North Korean Threat Actors Steal USD 290 Million from KelpDAO DeFi Platform
• Lovable Defends API Visibility Amid Data Security Concerns
• DDoS Attacks Hit Decentralized Platforms Mastodon and Bluesky

North Korean Threat Actors Steal USD 290 Million from KelpDAO DeFi Platform

Source: https://www.bleepingcomputer.com/news/security/kelpdao-suffers-290-million-heist-tied-to-lazarus-hackers/

What we know: North Korea-linked threat group Lazarus (specifically TraderTraitor) is suspected to have stolen USD 290 million in cryptocurrency targeting KelpDAO decentralized finance (DeFi) project, making it the largest crypto heist of 2026 in terms of the amount.

Context: LayerZero, the cross-chain messaging protocol used by KelpDAO, claimed that threat actors exploited KelpDAO’s single-DVN setup in their rsETH configuration. This claim is reportedly disputed by KelpDAO that attributes that attack to LayerZero’s infrastructure compromise. The heist also reportedly impacts lending platforms like Compound, Euler, and Aave.

Analyst note: DeFi projects relying on single-DVN setup, as well as LayerZero, are very likely to be targeted in further crypto heist campaigns as threat actors attempt to replicate the attack. Law enforcement action is unlikely to help recover the entirety of stolen funds. Stolen funds are very likely to aid the North Korean regime’s development of weapons.

Lovable Defends API Visibility Amid Data Security Concerns

Source: https://www.theregister.com/2026/04/20/lovable_denies_data_leak/

What we know: AI vibe-coding platform Lovable has denied an alleged data leak, which enables free accounts on the platform to access other users’ credentials, chat history, source code, and customer data created prior to November 2025.

Context: The leak reportedly stemmed from a Broken Object Level Authorization (BOLA) vulnerability, which occurs when an API fails to implement proper ownership validation at the object level, enabling unauthorized users to manipulate sensitive data. Lovable first dismissed the exposure as “intentional behavior,” only to later state that chats from public projects are no longer visible.

Analyst note: Repeated security concerns are likely to push users and enterprise customers to demand stronger assurances, tighter access controls, clearer public/private defaults, and more scrutiny of Lovable’s workflow. Users whose data was exposed are likely prone to account takeover attempts, intellectual property theft, and phishing.

DDoS Attacks Hit Decentralized Platforms Mastodon and Bluesky

Source: https://techcrunch.com/2026/04/20/mastodon-says-its-flagship-server-was-hit-by-a-ddos-attack/

What we know: Mastodon’s main server (mastodon[.]social) was hit by a distributed denial-of-service (DDoS) attack, causing temporary outages and instability due to a flood of malicious traffic. The impact was reportedly limited to the main instance due to its decentralized structure and other servers remained unaffected.

Context: The cyberattack on Mastodon follows a recent DDoS attack on Bluesky, which caused intermittent outages affecting core features like feeds, notifications, and search. While pro-Iran threat group 313 Team claimed responsibility for Bluesky, the attribution remains unverified by the company, and the attack was ultimately mitigated without confirmation of data compromise.

Analyst note: Mastodon and Bluesky were likely targeted because they host opposing ideological spaces where users seek and share news and opinions outside the structure of major media outlets. This makes them attractive targets for ideologically driven disruption aimed at disrupting alternative information flows.

DEEP AND DARK WEB INTELLIGENCE

Threat Actor claims ANTS breach: A threat actor on dark web forum DarkForums has advertised a large dataset allegedly stolen from the French government agency, National Agency for Secure Documents (ANTS) or France Titres. The dataset allegedly contains about 19 million records including names, contact details, birth data, addresses, and account metadata. Additionally, ANTS has confirmed a security incident that may have exposed data from user accounts on its portal. Threat actors are likely to package and resell the leaked data to other criminals, enable long-term exploitation, or target citizens through social engineering campaigns.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-5760: This is a critical remote code execution (RCE) flaw in SGLang, an open-source framework designed to accelerate large language models. The flaw enables threat actors to execute arbitrary code via its malicious GGUF model files. The exploit utilizes crafted Jinja2 templates during /v1/rerank requests. Successful exploitation is likely to grant attackers unauthorized access to internal systems, environment variables, and credentials.

Affected products: SGLang versions prior to 0.5.9.