Security firms Elliptic and TRM Labs have attributed the $286M attack to DPRK-linked threat actors, citing Tornado Cash origins, Pyongyang-time deployment signatures, social engineering focus, and post-hack laundering speed similar to the Lazarus Group's 2022 Ronin bridge hack. The contagion spread to more than 20 protocols, with Prime Numbers Fi reporting millions in losses, Carrot Protocol pausing mint/redeem functions after 50% TVL impact, and Pyra Protocol disabling withdrawals entirely. The removal of timelock safeguards on March 27 converted a complex multi-week attack into a 12-minute cash-out, demonstrating that protocol governance without delay mechanisms is governance with an open door. As of April 3, no comprehensive reimbursement plan has been announced, with users in affected protocols like Pyra and Carrot remaining unable to access funds.