How North Korean Hackers Continuously Target the Cryptocurrency Industry
TechFlow Selected TechFlow Selected
How North Korean Hackers Continuously Target the Cryptocurrency Industry
North Korea will keep its eyes on the crypto industry for the long term—not because it has much interest in these new concepts, but because the industry is genuinely useful to it.
Navigating Web3 tides with focused insightsBy Liu Honglin
The cryptocurrency industry over the past six months has felt eerily quiet—like a beach after the tide recedes.
People are still around. Projects still exist. But the buzz—the constant stream of new projects spinning narratives, the flood of fundraising announcements, the daily chatter in group chats about “getting on board”—has significantly faded.
Teams that remain publicly espouse vision and long-term thinking—but behind closed doors, conversations tend to revolve around far more pragmatic concerns: How much cash remains in the bank? How can costs be further reduced? How can the team stay intact and weather the bear market’s winter?
Yet the harshest blow the bear market delivers to projects isn’t always just falling token prices or tightening fundraising conditions—it’s when an already tight financial situation is compounded by catastrophic events like asset theft.
Getting hacked during a bull market stings. Getting hacked during a bear market can be fatal.
I. Drift Hacked for $285 Million
This time, the victim was Drift—the largest DeFi attack so far in 2026, with approximately $285 million stolen.
Those familiar with the Solana ecosystem likely recognize the name. Drift is a decentralized exchange focused on perpetual futures trading, also offering spot trading, lending, and vault services. According to its official materials, it is one of Solana’s largest open-source decentralized perpetual futures exchanges.
Public disclosures indicate the attack occurred on April 1, 2026—but preparations may have spanned six full months. In autumn 2025, a group claiming to be a quantitative trading team approached Drift staff at a major industry conference. They then created a group chat, held meetings, discussed trading strategies and integration plans—all standard procedure. Crucially, they didn’t just talk; they deposited over $1 million of their own funds into the ecosystem’s insurance vault. Little did anyone suspect this was a classic “long-line fishing” operation.
Viewed in isolation, the Drift incident would merely be another high-profile security breach. But placed alongside other major incidents from recent years, the pattern shifts dramatically.
Time and again, investigations circle back to North Korea.
II. North Korean Hackers’ Track Record
In February 2025, the FBI publicly attributed the theft of roughly $1.5 billion in virtual assets from Bybit to North Korea, labeling it part of the so-called “TraderTraitor” operation.
By year-end 2025, Chainalysis released annual data showing North Korean-linked hackers stole at least $2.02 billion in cryptocurrency assets—up 51% year-on-year. Their cumulative total since inception now stands at no less than $6.75 billion. A clear trend emerges: fewer attacks—but increasingly larger individual heists.
North Korea didn’t suddenly appear on the scene because of Bybit or Drift. It has been a persistent presence for years—and its footprint in crypto isn’t fading. It’s growing heavier.
Looking further back, North Korea’s crypto theft record is well-documented.
Reuters cited UN sanctions experts in 2024, reporting that the UN had investigated 97 suspected North Korean cyberattacks against cryptocurrency firms between 2017 and 2024—totaling approximately $3.6 billion.
In November 2024, South Korean police publicly stated that a $42 million Ethereum theft in 2019 was linked to a North Korean military intelligence-affiliated hacking group.
A notable detail in the Drift case: With support from relevant security teams, investigators have preliminarily linked this attack—and the October 2024 Radiant Capital hack—to North Korea.
Taken together, these aren’t isolated incidents. They’re repeated deployments of a highly refined, battle-tested playbook—by the same actors, across different projects, at different times, in varied contexts.
III. North Korea’s Harvesting Ecosystem
At this point, what this article truly aims to discuss isn’t “How much did North Korea steal recently?” Rather, it’s something far more critical for industry practitioners to grasp: Over the past few years, while everyone’s attention has centered on Hong Kong, the U.S., Dubai—on licenses, ETFs, stablecoins, L1s, payments, RWAs, custody—the quieter, harder reality is that North Korea has become the most consistent, systematic, and organized entity extracting real value from this industry.
Many people’s first impression of North Korea in crypto remains stuck on old tropes: hacker groups, coin theft, money laundering. Those labels aren’t wrong—but they vastly underestimate the scale and sophistication of what’s happening today.
What North Korea does goes far beyond “hacking a few projects.” More accurately, it has built an end-to-end harvesting ecosystem tightly integrated with the crypto industry itself.
Layer One: Large-Scale Theft
Attacking exchanges, cross-chain bridges, wallets, and protocols to directly extract assets. Bybit stands as the starkest example: $1.5 billion isn’t just another industry incident—it’s a systemic shock.
Chainalysis’s 2025 report notes that North Korean-linked attacks accounted for 76% of all service-platform thefts that year—and the top few cases accounted for the overwhelming majority of losses. This indicates not random opportunism, but deliberate resource concentration, target selection, and big-fish hunting.
Layer Two: Covert Infiltration
Gaining proximity to project teams, cultivating relationships, and posing as legitimate insiders. The Drift case is textbook. The attackers weren’t anonymous accounts appearing out of nowhere—they were people met at conferences, chatted with in group chats, and engaged deeply on technical and business details.
Reuters also reported that North Korean hackers increasingly infiltrate the crypto industry via fake job opportunities: sham employers, counterfeit company websites, fabricated technical assessments, and staged interviews. What makes these tactics dangerous isn’t novelty—it’s how seamlessly they mirror real industry workflows.
Layer Three: Remote Sleeper Agents
A June 2025 U.S. Department of Justice filing revealed that North Korean remote IT personnel—using stolen or forged identities—secured remote jobs at over 100 U.S. companies. Behind this pipeline lay fake websites, front companies, computer relay nodes, and money-laundering accounts.
FBI wanted notices further state that some individuals leveraged their remote access privileges to steal over $900,000 in cryptocurrency from two companies. At this level, the threat is no longer “external attack”—it’s “the intruder is already inside.” Once insiders gain entry, recruitment processes, hardware provisioning, code repository access, financial workflows, and endpoint management—all previously mundane operational details—become vectors for collusion-based security breaches and asset expropriation.
Layer Four: Money Laundering & Monetization
The final layer is backend laundering and fund processing. Reuters, citing UN sanctions experts in 2024, reported that North Korea laundered $147.5 million—stolen in prior incidents—via mixing tools in March 2024. That same report noted UN analysts believe such cyberattacks serve three interlinked goals: raising funds, evading sanctions, and financing weapons programs.
North Korea doesn’t stop at theft. It operates a full stack: splitting, hopping, laundering, and re-monetizing stolen assets.
IV. Why Crypto?
Many legitimate projects vanish after one market cycle—teams disband, products halt, tokens hit zero. Not North Korea. It holds no launch events, publishes no roadmaps, crafts no brand narratives—yet it extracts money from this industry every single year, with increasing sophistication.
North Korea’s sustained focus on crypto isn’t driven by fascination with new concepts. It’s driven by utility: crypto simply works better for them.
First, funds are easier to steal. In traditional finance, vast sums sit behind layers of barriers: banks, clearinghouses, cross-border regulations, sanctions lists—each a formidable hurdle. On-chain, however, once an initial vector is found, the space for splitting, bridging, and redistributing stolen assets expands dramatically. Once stolen assets enter the blockchain ecosystem, the post-theft handling landscape—and difficulty—diverges sharply from traditional finance.
Second, organizations are easier to infiltrate. Crypto is inherently global, remote, and lightweight. Teams coordinate via messaging apps, video calls, code platforms, documentation tools, and test distribution systems—running development, fundraising, operations, integrations, and market-making entirely online. What looks like efficiency from one angle is, from another, a vastly expanded attack surface.
V. A Practical Security Guide for Crypto Practitioners
For many crypto project teams, this isn’t distant geopolitical news—it’s one of the most tangible operational risks facing the industry today. This isn’t an abstract security alert. It’s a concrete business challenge.
1. Employee Hiring & Remote Work Management
The U.S. Department of Justice and FBI have laid out the risk in stark terms: North Korean IT personnel use stolen or forged identities to land remote roles at U.S. companies—and route company-issued hardware through U.S.-based relay computers before connecting remotely to corporate networks. For crypto startups, any role touching code repositories, production environments, wallets, deployment pipelines, financial backends, or identity data demands far more than resume screening and deliverables review.
At minimum, three actions are required:
First, conduct cross-verified identity checks—not just LinkedIn profiles, video interviews, and passport photos.
Second, mandate company-controlled devices for sensitive roles—never silently permit long-term use of purely personal laptops for core business functions.
Third, enforce default principle-of-least-privilege—especially for probationary staff, contractors, and freelancers. Don’t grant broad access upfront and plan to revoke it later.
2. Partner Identity Verification
Drift’s case delivers one of the industry’s most urgent reminders: Having met someone offline, chatted smoothly online, asked sharp technical questions, and even seen them invest real capital—none of these automatically confer trust.
A more practical approach: Verification must go beyond business cards, official websites, and social media. Scrutinize corporate registration records, historical project footprints, verifiable team members, and feedback from mutual contacts. When engagement deepens and collaboration intensifies, due diligence must only increase—not slacken.
3. Elevating Security Audits
Many teams still equate “security audit” with smart contract reviews, wallet management, multisig configurations, and on-chain monitoring. These remain essential—but insufficient.
Today’s priority is auditing “human workflows”: Who can download external code repositories? Who handles multisig-related hardware? Who accesses production environments? Who triggers financial approvals? Whose endpoints touch core permissions? Most teams haven’t systematically mapped these flows.
A pragmatic step: Conduct quarterly permission and endpoint audits. First, inventory who can access multisig setups, view core code repositories, enter production environments, or approve financial transactions. Then isolate and risk-assess all associated devices. Drift itself advised in its post-incident update: Audit your team—who has access to what—and treat every device that touches multisig as a potential target.
4. Security Budgets as Operational Costs
Small teams often cut corners on security—skimping on audits, risk controls, process design, and endpoint management—deeming them expensive, slow, or disruptive to business momentum. Yet North Korean attacks consistently demonstrate willingness to invest substantial time and nontrivial resources for high-yield returns. For crypto professionals managing large customer asset pools, this should serve as a loud, unambiguous wake-up call.
As the cryptocurrency industry matures, a common question persists: What has it actually changed?
Some say it changed payments. Others claim it changed asset issuance. Still others argue it changed global capital flows.
But include North Korea in that analysis—and you’ll find it has undeniably changed at least one thing: It has given a nation historically constrained across traditional finance its first-ever, enduring, cross-border, revenue-generating toolset.
It just chose the most direct—and least dignified—path to get there.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
