Written by: Liu Honglin

The cryptocurrency industry has been quite desolate in the past six months, as if it were a beach after the tide has receded.

There are still people, and projects are still ongoing, but the feeling of having new projects coming out every now and then telling stories, with financing news everywhere, and the sense of people shouting to get on board every day, has greatly diminished.

The teams that remain will, of course, talk about visions and long-term goals, but what they often discuss in private are more down-to-earth matters: how much money is still on the books, how to further cut costs, and how to stabilize the team to endure the winter of the bear market.

However, the harshest aspect of the bear market for project teams is sometimes not just the drop in coin prices, nor just the difficulty in financing, but rather the exacerbation of an already tight situation, such as assets being stolen.

Being robbed in a bull market is painful; being robbed in a bear market is truly deadly.

1. Drift Stolen $285 Million

The latest incident involves Drift, one of the largest DeFi attacks since the beginning of 2026, with a theft amounting to approximately $285 million.

Those familiar with the Solana ecosystem are likely not unfamiliar with this name. It is a decentralized trading platform mainly focused on perpetual contract trading, also covering spot trading, lending, and vault operations. Official information calls it one of the largest open-source perpetual contract decentralized trading platforms on Solana.

According to publicly disclosed information, the attack occurred on April 1, 2026, but it may have been preceded by a buildup of six months. In the fall of 2025, a group of individuals calling themselves a quantitative trading team interacted with Drift's staff during a major industry conference. They later formed a group, held meetings, discussed strategies and business integration, the process seemed quite normal, and most importantly, they not only talked but actually deposited over $1 million of their own funds into the ecosystem's vault. Who would have thought this was a long-term fishing expedition?

If we only look at Drift, this incident would merely count as another safety accident involving a leading project. However, if we place it within the context of major cases that have occurred in the industry over the past few years, the situation feels different.

Multiple cases keep circling back to North Korea.

2. North Korean Hacker Achievements

In February 2025, the FBI publicly stated that approximately $1.5 billion in virtual assets was stolen from Bybit, perpetrated by North Korea, falling under its so-called "TraderTraitor" operation.

At the end of 2025, Chainalysis also released annual data indicating that North Korean-related hackers stole at least $2.02 billion in crypto assets in 2025, a year-on-year increase of 51%, with a historical cumulative minimum reaching $6.75 billion, showing a clear trend: while the number of successful attacks by North Korea decreased, the amount stolen per incident increased.

North Korea has not just suddenly emerged as a name because of Bybit or Drift; it has been active for years, and its presence in the cryptocurrency industry is not weakening but growing stronger.

Looking further back, North Korea's record of cryptocurrency theft is quite frequent.

In 2024, Reuters quoted UN sanctions experts stating that the United Nations investigated 97 incidents of cyber attacks suspected to be initiated by North Korea against cryptocurrency companies between 2017 and 2024, involving amounts around $3.6 billion.

In November 2024, South Korean police also publicly stated that a theft of approximately $42 million in Ethereum in 2019 was related to a hacker organization associated with North Korean military intelligence.

For this latest incident with Drift, there is also a detail: with the support of relevant security teams, this operation has been linked to North Korea behind the October 2024 attack on Radiant Capital.

When viewed together, these are not unrelated cases, but rather the same type of individuals repeatedly employing a well-honed strategy across different projects, periods, and scenarios.

3. North Korean Hacker Harvesting System

At this point, what this article genuinely wants to discuss is not "how much money North Korea has stolen recently," but rather a more significant issue that industry practitioners should pay attention to: Over the past few years, when discussing the cryptocurrency industry, the focus has been on Hong Kong, the United States, and Dubai, on licenses, ETFs, stablecoins, public chains, payments, RWAs (Real World Assets), and custodians—these overt narratives.

However, a harsher reality is that the most consistent, systematic, and organized entity taking away real money from this industry is precisely North Korea.

Many people’s first reaction when mentioning North Korea's presence in the cryptocurrency industry is still the same old impressions: hacker organization, coin theft, money laundering. These terms are certainly not wrong, but they may still underestimate it today.

Because what it is doing is no longer as simple as "stealing from a few projects." More accurately, it has increasingly developed a complete harvesting system surrounding the cryptocurrency industry.

First Layer: Large-Scale Theft

Attacking exchanges, cross-chain bridges, wallets, protocols, directly taking away assets. Bybit is the most prominent example, with a theft scale of $1.5 billion, which is beyond an ordinary industry accident.

The 2025 Chainalysis report also noted that North Korean-related attacks accounted for 76% of all service platform thefts that year, with the major cases constituting most of the losses. This shows that they are not petty thieves casting a wide net but are increasingly adept at concentrating resources, selecting targets, and catching big fish.

Second Layer: Disguised Infiltration

Approaching project teams, managing relationships, disguising as normal-seeming roles in the industry. Drift is a typical case. The adversaries were not suddenly emerging unknown accounts but individuals met at events, conversed in groups, and discussed many details in business.

Reuters’ reporting also stated that North Korean hackers increasingly infiltrate the cryptocurrency industry by fabricating job opportunities. These include fake employers, fake company websites, fake technical tests, and fake interview processes. The frightening aspect of these items is not their novelty but that they are rooted in the real workflow of the industry.

Third Layer: Remote Undercover

Cases disclosed by the U.S. Department of Justice in June 2025 revealed that North Korean-related remote IT personnel used stolen or forged identities to find remote jobs at over 100 U.S. companies; behind the entire chain, there were also fake websites, front companies, computer relay points, and money laundering accounts.

The FBI's wanted notices showed that some individuals used the permissions of remote positions to steal over $900,000 in virtual currency from two companies. At this level, the risk is no longer "external attacks" but rather "the intruder is already inside." Once someone gains entry, aspects that seemed trivial, such as recruitment, devices, code repository access, financial processes, and terminal management, can become collaborative security breaches and asset plundering.

Fourth Layer: Money Laundering and Monetization

The final layer involves back-end money laundering and fund processing capabilities. In March 2024, Reuters quoted UN sanctions experts citing that North Korea processed $147.5 million of previously stolen assets from relevant cases through mixing tools; the same report also mentioned that the UN believes these types of cyber attacks are related to raising funds, evading sanctions, and supporting its weapons programs.

North Korea does not just stop at "theft"; it has a whole set of capabilities for splitting, transferring, cleaning, and monetizing.

4. Why the Cryptocurrency Industry?

Many legitimate projects perish during a cycle of bull and bear markets; teams disperse, products cease, and coin prices drop to zero. North Korea is not like that. It has no press conferences, no roadmaps, nor brand narratives, but it consistently extracts money from this industry every year with increasingly sophisticated methods.

North Korea will keep a long-term watch on the cryptocurrency industry, not because it has a great interest in these new concepts, but because this industry is indeed useful to it.

Firstly, it is easier to steal funds. Much of the money in the traditional financial system is inaccessible or too costly for it to reach. Banks, clearing, cross-border regulations, and sanctions lists each pose a barrier. However, in the on-chain world, as long as the front end can find an entry point, the subsequent splitting, cross-chain, and redistribution space is much larger. Once stolen assets enter the on-chain system, the processing space and complexity differ greatly from traditional finance.

Secondly, organizations are easier to infiltrate. The cryptocurrency industry is inherently globalized, remote, and lightly organized. Everyone relies on social software, video conferencing, code platforms, document tools, testing distribution tools to run cooperation, development, financing, operations, integration, and market making. While this appears efficient, from another angle, it represents an attack surface.

5. A Guide for Cryptocurrency Practitioners

For many cryptocurrency project teams, this is not a distant international political message but one of the most realistic business risks in the industry today. This is not an abstract security reminder but a very tangible business issue.

1. Employee Recruitment and Remote Management

The U.S. Department of Justice and FBI have detailed the risks: North Korean-related IT personnel use stolen or forged identities to find remote positions at U.S. companies, receiving company-dispatched devices via computer relay points within the U.S. before accessing the company network remotely. For cryptocurrency startups, any positions that interface with code repositories, production environments, wallets, deployment processes, financial backends, or identity authentication data can no longer rely solely on resumes and delivered results.

At a minimum, three things must be done:

First, identity verification must be cross-checked; it cannot rely solely on professional social platforms, video interviews, and a single passport photo.

Second, sensitive positions must use controllable devices; it cannot allow personal computers to handle core businesses over a long period of time.

Third, permissions should default to the minimum necessary, especially for probationary employees, outsourced personnel, and contractors—don’t grant too many entry points upfront with the intention of reducing them later.

2. Partner Identity Verification

One of the biggest reminders from Drift this time is that having met offline, chatting smoothly online, asking professional questions, or even having genuinely invested money cannot be automatically assumed to be trustworthy.

A more pragmatic approach would be: verification must extend beyond business cards, official websites, and social media to include checking company registration information, historical project traces, real team members, and feedback from mutual acquaintances; if necessary, request verifiable institutional materials from the other party. The longer the engagement and deeper the cooperation, the more risk control should be in place.

3. Security Audits Must Upgrade

When many teams talk about security audits now, they still think of smart contract audits, wallet management, multi-signature configuration, and on-chain monitoring. While these are indeed necessary, they are no longer sufficient.

Today, greater attention should be paid to the "human workflow." Who can download external code repositories, who has accessed multi-signature related devices, who can enter production environments, who can trigger financial approvals, and who has terminals that touch core permissions. Many teams do not systematically assess these questions regularly.

A more pragmatic approach would be to conduct at least quarterly audits of permissions and terminals: first inventory who can access multi-signatures, who can view core code repositories, who can enter production environments, who has financial approval permissions, then isolate related devices and conduct risk checks. Drift itself reminds in updates: check the team, audit who has access to what, and treat every device that has interacted with multi-signature as a potential target.

4. Security Budget as Operational Cost

Many small teams often try to save money on audits, risk controls, process design, and terminal management, thinking they are expensive, slow, or hinder business progress. Yet, the characteristics of North Korean-related attacks in recent years precisely show a willingness to invest significant time and cost for high returns. For cryptocurrency practitioners who manage substantial client assets, this should serve as a loud reminder.

As the cryptocurrency industry has developed to this point, everyone loves to ask one question: what has it really changed?

Some might say it has changed payments; others might say it has changed asset issuance; still others might argue it has transformed the flow of global capital.

However, if we also consider the North Korean aspect, you will find that it has at least changed one thing: it has provided a previously constrained country within the traditional financial system a method for long-term operation, cross-border flow, and continuous cash extraction.

Only, it did so in the most direct and least dignified way.