North Korean hackers continue to target the crypto industry; here are four strategies for practitioners to respond.

PA荐读
PA荐读
  • The article discusses security challenges in the cryptocurrency industry during bear markets, using the $285 million theft from Drift in 2026 as a key example, a major DeFi attack on the Solana ecosystem.
  • It highlights the persistent activity of North Korean hackers, who have stolen billions cumulatively, as seen in cases like Bybit's $1.5 billion theft, showing organized attacks.
  • Details the North Korean harvesting system: large-scale thefts, infiltration (e.g., contact with projects like Drift), remote sleeper agents (using stolen identities for jobs), and money laundering.
  • Analyzes why the crypto industry is targeted: funds are easier to misappropriate due to on-chain liquidity, and organizations are easier to infiltrate due to remote work culture.
  • Provides guidance for industry practitioners: strengthen identity verification, controlled devices, and minimal permissions in employee hiring and remote management; verify partners' authenticity; upgrade security audits focusing on access and terminals; treat security budget as operational cost.
Summary

Author: Lawyer Liu Honglin

The cryptocurrency industry has been as deserted as a beach after the tide has gone out in the last six months.

The people are still here, and the projects are still here, but the feeling of having new projects popping up every now and then, funding announcements everywhere, and people in the group chats clamoring to get on board every day has diminished considerably.

The remaining team members will certainly talk about vision and long-term goals, but in private they often talk more about very practical things: how much money they have in the account, how to further reduce costs, and how to stabilize the team and get through the winter of the bear market.

But the worst thing about a bear market for project teams is sometimes not just the drop in coin prices or the difficulty in raising funds, but the fact that an already struggling family is hit with even worse troubles, such as having its assets stolen.

Being robbed in a bull market is painful; being robbed in a bear market is truly devastating.

I. Drift suffers $285 million theft

The company that was hacked this time is Drift, one of the largest DeFi attacks since the beginning of 2026, with approximately $285 million stolen.

Those familiar with the Solana ecosystem will likely recognize the name. It's a decentralized exchange primarily focused on perpetual contract trading, but also covers spot trading, lending, and vault services. Official documentation describes it as one of the largest open-source perpetual contract decentralized exchanges on Solana.

According to publicly disclosed information, the attack occurred on April 1, 2026, but it may have been brewing for six months prior. In the fall of 2025, a group claiming to be a quantitative trading team contacted Drift staff at a large industry conference. The subsequent group chats, meetings, discussions about strategies and business integration all proceeded normally. More importantly, they not only mentioned it, but actually deposited over $1 million of their own funds into the ecosystem vault. Little did they know, this was a long-term strategy to reel in a bigger fish.

If you only look at Drift, this incident is at most another security breach at a top-tier project. But if you put it in the context of other major cases that have occurred in the industry over the past few years, the situation is quite different.

Multiple cases, no matter how they go around in circles, will eventually lead back to North Korea.

II. North Korean hacking achievements

In February 2025, the FBI publicly stated that approximately $1.5 billion in virtual assets belonging to Bybit had been stolen, carried out by North Korea, and attributed to its so-called "TraderTraitor" operation.

At the end of 2025, Chainalysis released annual data showing that North Korean hackers stole at least $2.02 billion in crypto assets in 2025, a year-on-year increase of 51%, with the historical cumulative lower limit reaching $6.75 billion. Moreover, a very obvious characteristic was that the number of North Korean attacks decreased, but the individual attacks became larger and larger.

North Korea isn't a name that suddenly emerged recently because of Bybit or Drift; it's been around for years, and its presence in the crypto industry isn't getting weaker, but rather stronger.

Looking further back, North Korea's record of currency theft is also quite common.

In 2024, Reuters cited materials from UN sanctions experts stating that the UN investigated 97 cyberattacks allegedly launched by North Korea against cryptocurrency companies between 2017 and 2024, involving approximately $3.6 billion.

In November 2024, South Korean police also publicly stated that a 2019 Ethereum theft case involving approximately $42 million was linked to a hacker group connected to the North Korean military intelligence system.

Another detail regarding Drift is that, with the support of relevant security teams, the current consensus is that both this operation and the Radiant Capital attack in October 2024 are linked to North Korea.

When viewed together, these are not several unrelated cases, but rather the same type of people repeatedly using a well-refined and mature approach in different projects, at different times, and in different scenarios.

III. North Korean Hackers' Harvesting System

At this point, what this article really wants to discuss is not "how much money North Korea has stolen recently," but something else that industry practitioners should pay more attention to: In the past few years, when people talk about the crypto industry, their attention has been focused on Hong Kong, the United States, and Dubai, and on the overt narratives such as licenses, ETFs, stablecoins, public chains, payments, RWA, and custody.

But another, more compelling fact is that North Korea is the one that has been taking real money from this industry most consistently, systematically, and in an organized manner.

When many people hear about North Korea's presence in the crypto industry, their first reaction is still the same old impressions: hacking organization, cryptocurrency theft, and money laundering. These terms are certainly correct, but in retrospect, they may be underestimating its influence.

Because what it does has long since gone beyond simply "hacking a few projects." To be more precise, it has increasingly developed a complete system for exploiting the crypto industry.

First level: Large-scale currency theft

Attacks on exchanges, cross-chain bridges, wallets, and protocols allow for the direct theft of assets. Bybit is a prime example; a deal worth $1.5 billion is no longer a typical industry incident.

Chainalysis's 2025 report also noted that North Korean-related attacks accounted for 76% of all service platform theft incidents that year, with the top cases accounting for the vast majority of losses. This indicates that North Korea is not a thief casting a wide net, but is increasingly adept at concentrating resources, selecting targets, and catching big fish.

Second layer: Disguise and infiltration

They approached the project team, cultivated relationships, and posed as seemingly normal industry insiders. Drift's case is a prime example. The other party wasn't a completely unfamiliar account that suddenly appeared; they were someone they had met at events, chatted with in group chats, and had discussed many business details with.

Reuters also reported that North Korean hackers are increasingly infiltrating the crypto industry by creating fake job postings. The frightening thing about these fake job postings, fake company websites, fake technical tests, and fake interview processes isn't their novelty, but rather that they all mirror the real workflows within the industry.

Third layer: Remote infiltrator

A case released by the U.S. Department of Justice in June 2025 revealed that North Korean telematics personnel used stolen or forged identities to find remote work at more than 100 U.S. companies; behind the entire chain were supporting structures such as fake websites, front-end companies, computer transfer points, and money laundering accounts.

The FBI's wanted notices also revealed that some individuals used remote access privileges to steal over $900,000 worth of cryptocurrency from two companies. At this level, the risk is no longer "external attack," but rather "people have already entered the house." Once people can get in, seemingly trivial matters such as recruitment, equipment, code repository access, financial processes, and endpoint management can all become tools for coordinated security attacks and asset plundering.

Fourth layer: Money laundering and monetization

The final layer is the back-end money laundering and fund processing capabilities. Reuters, citing materials from UN sanctions experts in 2024, reported that North Korea processed $147.5 million in assets previously stolen from related cases in March 2024 using money mixing tools; the same report also mentioned that the UN believed such cyberattacks were related to obtaining funds, circumventing sanctions, and supporting its weapons programs.

North Korea doesn't just "steal and then stop"; it has a whole set of capabilities for dismantling, redirecting, purging, and then monetizing.

IV. Why the Crypto Industry?

Many legitimate projects fail after just one bull and bear market cycle; the team disbands, the product stops, and the coin price drops to zero. North Korea is different. It doesn't hold press conferences, has no roadmap, and no brand narrative, but it steadily raises money from the industry every year, and its methods are becoming increasingly sophisticated.

North Korea will keep a close eye on the crypto industry not because it is particularly interested in these new concepts, but because the industry is genuinely useful to it.

First, funds are easier to steal. In the traditional financial system, much money is inaccessible or too costly to access. Banks, clearinghouses, cross-border regulations, and sanctions lists—each layer presents a barrier. However, in the on-chain world, as long as an entry point can be found at the front end, the scope for subsequent splitting, cross-chain operations, and redistribution is much larger. Once stolen assets enter the on-chain system, the subsequent processing space and difficulty are entirely different from those in traditional finance.

Secondly, it's easier for organizations to penetrate. The crypto industry is inherently globalized, remote, and lightweight. Everyone relies on social media, video conferencing, code platforms, documentation tools, and testing and distribution tools to handle collaboration, development, financing, operations, integration, and market making. Normally, this is efficiency; from another perspective, it's the attack surface.

V. Coping Guidelines for Crypto Practitioners

For many crypto project teams, this isn't some distant international political news, but rather one of the most pressing operational risks facing the industry today. This isn't an abstract security reminder, but a very real business issue.

1. Employee recruitment and remote management

The US Department of Justice and the FBI have outlined the risks in detail: North Korean IT personnel may use stolen or forged identities to apply for remote positions at US companies, receive equipment shipped by the companies through computer relay points within the US, and then remotely access the company network. For startups in the crypto industry, any position involving access to code repositories, production environments, wallets, deployment processes, financial back-end systems, and identity authentication data can no longer be filled solely by resumes and deliverables.

At least three things need to be done:

First, identity verification should be done in a cross-cutting manner, and cannot rely solely on professional social networking platforms, video interviews, and a passport photo.

Second, sensitive positions must use controllable equipment, and the use of purely personal computers to handle core business cannot be tolerated for an extended period.

Third, permissions should be minimized by default, especially for probationary employees, outsourced personnel, and contract workers. Don't give them too many access points at the beginning, and then gradually reduce them later.

2. Partner Identity Verification

One of the biggest reminders Drift has given to the industry is that you can no longer automatically assume someone is trustworthy just because you've met them in person, had a smooth online conversation, asked professional questions, or even actually invested money in them.

A more pragmatic approach is to go beyond business cards, official websites, and social media. Verification should include checking company registration information, historical project records, actual team members, and feedback from mutual acquaintances. If necessary, request verifiable institutional documentation. The longer the relationship and the deeper the collaboration, the more crucial risk control measures should be.

3. Security audits need to be upgraded.

When many teams talk about security auditing now, they still think of smart contract auditing, wallet management, multi-signature configuration, and on-chain monitoring. Of course, these are all necessary, but they are no longer enough.

Today, the focus should be on "human workflows." Who can download external code repositories, who has access to multi-signature related devices, who can enter the production environment, who can trigger financial approvals, and whose terminals have access to core privileges? Many teams haven't regularly conducted system disk checks on these issues.

A more pragmatic approach is to conduct access control and endpoint audits at least once a quarter: first, take stock of who has access to multi-signature accounts, who can view the core code repository, who can access the production environment, and who has financial approval privileges; then, isolate and conduct risk checks on the relevant devices. Drift itself also reminds users in its updates to: audit the inspection team, identify who has the permission to access what, and treat every device that has access to multi-signature accounts as a potential target.

4. The safety budget is part of the operating costs.

Many small teams are most likely to cut corners on areas like auditing, risk control, process design, and endpoint management, finding them expensive, slow, and detrimental to business operations. However, the defining characteristic of North Korean-related attacks in recent years is their willingness to invest significant time and resources for a single high-return investment. This should serve as a stark reminder to those in the crypto industry who manage substantial client assets.

As the cryptocurrency industry has developed to its current state, people often ask the same question: what exactly has it changed?

Some would say it changed payments; others would say it changed asset issuance; still others would say it changed the way global capital flows.

However, if you include North Korea in your analysis, you'll find that it has at least changed one thing: it has allowed a country that was previously constrained in the traditional financial system to find a tool that can operate long-term, flow across borders, and provide continuous access to funds for the first time.

However, it did so in the most direct and also the most undignified way.

Share to:

Author: PA荐读

Opinions belong to the column author and do not represent PANews.

This content is not investment advice.

Image source: PA荐读. If there is any infringement, please contact the author for removal.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
PA一线

PA一线

Bybit cryptocurrency exchange upgrades security to strengthen security throughout the process
Techub News

Techub News

Reflections on the theft of DEXX user funds: Chaos and warnings from the perspective of transaction observers
Beosin

Beosin

UNIBOT爆火,如何防范Telegram 机器人相关的钓鱼和诈骗?
Beosin

Beosin

3月区块链安全报告:典型事件超21起,损失总金额约2.18亿美元
Foresight News

Foresight News

2025 Crypto Crime Mid-Year Report: Stolen Funds Surge to $2.17 Billion, with Personal Wallet Thefts Proportion Gradually Increasing
Biteye

Biteye

Biteye and PANews jointly released AI Layer1 research report: Finding fertile ground for DeAI on the chain

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe
PANews App
24/7 blockchain news tracking and in-depth analysis.
Download PANews App
App StoreGoogle Play
PANews APP
Circle minted an additional 500 million USDC on the Solana chain.
PANews Newsflash