Written by: Liu Honglin

In the past six months, the cryptocurrency industry has felt as desolate as a beach after the tide recedes.

There are still people, and projects still exist, but the feeling of new projects emerging every few days, financing news everywhere, and people in groups constantly urging to get on board has diminished significantly.

The teams that remain do talk about vision and long-term goals, but in private conversations, the discussions often revolve around very basic issues: how much money is left in the account, how to further cut costs, and how to stabilize the team to survive the winter of the bear market.

But the harshest part of the bear market for project teams is sometimes not just the drop in coin prices or the difficulties in financing, but the additional blows that families facing tight finances encounter, such as having assets stolen.

Getting stolen in a bull market is painful; getting stolen in a bear market can be life-threatening.

I. Drift Stolen $285 Million

This time, the theft involved Drift, one of the largest DeFi attacks of 2026 so far, with an estimated loss of about $285 million.

Those familiar with the Solana ecosystem are likely not unfamiliar with this name. It is itself a decentralized trading platform focusing on perpetual contract trading, also covering spot trading, lending, and vault businesses. Official information describes it as one of the largest open-source decentralized trading platforms for perpetual contracts on Solana.

According to publicly disclosed information, the attack occurred on April 1, 2026, but it may have been preceded by a full six months of groundwork. In the autumn of 2025, a group claiming to be a quantitative trading team made contact with Drift’s staff at a major industry conference. They then created a group, held meetings, discussed strategies, and talked about business integration in a completely normal process. More crucially, the other party didn't just talk; they truly deposited over $1 million of their own funds into the ecosystem vault. Who would have thought this was a long game to catch the big fish?

If we only look at Drift, this incident might be seen merely as another security accident among top projects. However, if placed against the backdrop of major incidents that have occurred in the industry over the past few years, the perspective shifts dramatically.

Several cases lead back to North Korea.

II. North Korean Hacker Achievements

In February 2025, the FBI publicly stated that approximately $1.5 billion worth of virtual assets were stolen from Bybit, attributed to North Korea as part of its so-called "TraderTraitor" operation.

At the end of 2025, Chainalysis provided annual data showing that North Korea-related hackers had stolen at least $2.02 billion in crypto assets in 2025, a 51% increase year-on-year, with a historical cumulative lower limit reaching $6.75 billion, exhibiting a clear characteristic: while the frequency of North Korea's attacks has decreased, the size of individual incidents has increased.

North Korea isn't a recently emerged name due to Bybit or Drift; it has been around for years, and its presence in the cryptocurrency industry is not diminishing but rather intensifying.

Looking back further, North Korea's record of cryptocurrency theft is also well-known.

Reuters cited materials from UN sanctions experts in 2024 stating that the UN investigated 97 cyber attacks on cryptocurrency companies that were allegedly initiated by North Korea between 2017 and 2024, involving amounts approximately totaling $3.6 billion.

South Korean police also publicly stated in November 2024 that a theft of approximately $42 million in Ethereum in 2019 was linked to hacker organizations associated with North Korea's military intelligence system.

This time, Drift also has a detail: with support from relevant security teams, the current investigation into this incident and the attack on Radiant Capital in October 2024 has pointed towards North Korea.

When viewed together, these are not a few unrelated cases, but rather the same type of individuals using a well-honed strategy repeatedly across different projects, different times, and different scenarios.

III. North Korean Hacker Harvesting System

At this point, what the article truly wants to discuss is not "how much North Korea has stolen recently," but a more critical issue that industry professionals should pay attention to: over the past few years, discussions about the cryptocurrency industry have focused on Hong Kong, the USA, Dubai, as well as licenses, ETFs, stablecoins, public chains, payments, RWA, and custody—these overt narratives.

However, another stark reality is that the entity that has persistently, systematically, and organizationally extracted real money from this industry is precisely North Korea.

When many people mention North Korea's presence in the cryptocurrency industry, their first reaction is still the old impressions: hacker organizations, coin theft, money laundering. These words are certainly not wrong, but looking now, it may still underestimate them.

Because what they do is no longer simply "hacks on a few projects." More accurately, it increasingly resembles a complete harvesting system revolving around the cryptocurrency industry.

First Layer: Large-Scale Coin Theft

Attacking exchanges, cross-chain bridges, wallets, and protocols to directly extract assets. Bybit is the most striking example, with a scale of $1.5 billion, which has transcended the ordinary meaning of an industry accident.

Chainalysis's 2025 report also mentioned that North Korea-related attacks accounted for 76% of all theft incidents involving service-based platforms that year, with the major cases accounting for the vast majority of losses. This suggests that they are not a widely casting net type of thief, but rather increasingly adept at concentrating resources, selecting targets, and capturing big fish.

Second Layer: Disguised Infiltration

Approaching project parties, managing relationships, and disguising as seemingly normal roles within the industry. Drift's incident is very typical. The counterpart was not an unfamiliar account suddenly appearing, but someone seen at events, discussed in groups, and exchanged many details about business.

Reuters also reported that North Korean hackers increasingly infiltrate the cryptocurrency industry by faking job opportunities. Fake recruiters, fake company websites, fake technical tests, fake interview processes—these scary elements do not stem from new tricks but rather from being rooted in the industry's genuine workflows.

Third Layer: Remote Undercover

The U.S. Department of Justice disclosed a case in June 2025 showing that North Korean-related remote IT personnel used stolen or forged identities to find remote jobs at over 100 U.S. companies; behind the entire chain of actions, there are fake websites, front companies, computer interception points, and money laundering accounts as supporting structures.

The FBI's wanted information further indicated that some individuals exploited their remote positions to steal virtual currencies worth over $900,000 from two companies. At this level, the risk is no longer just an “external attack,” but rather "the person has already entered the house." As long as someone can get in, recruitment, equipment, code repository access, financial procedures, and terminal management—these previously seemingly trivial matters—all become coordinated security attacks and asset plundering.

Fourth Layer: Money Laundering and Realization

The final layer involves backend money laundering and funds processing capabilities. Reuters reported in 2024, citing UN sanctions experts, that North Korea processed $147.5 million of assets previously stolen from related cases using mixing tools in March 2024; the same report also mentioned that UN officials believed such cyber attacks were related to funding acquisition, evading sanctions, and supporting its weapon projects.

North Korea does not simply "finish after stealing"; it has a complete set of capabilities for splitting, redirecting, cleaning, and realizing assets.

IV. Why the Cryptocurrency Industry?

Many legitimate projects disappear after just one round of bull and bear markets, teams disband, products stop, and coin prices plummet to zero. North Korea does not. It has no press conferences, no roadmaps, and no brand narratives, yet it consistently extracts money from this industry every year, and its methods are growing increasingly mature.

North Korea will keep its eyes on the cryptocurrency industry long-term, not because of any immense interest in these new concepts, but because this industry is genuinely useful to it.

First, funds are easier to steal. Much money within the traditional financial system is inaccessible to it, or the costs to access it are too high. Banks, settlements, cross-border regulations, and sanctions lists each create barriers. However, in the on-chain world, as long as an entry point can be found, the space for subsequent splitting, cross-chain transferring, and redistributions is vastly larger. Once stolen assets enter the on-chain system, the handling space and difficulty differ significantly from traditional finance.

Second, organization infiltration is easier. The cryptocurrency industry is inherently globalized, remote, and less structured. People rely on social software, video conferencing, code platforms, document tools, testing distribution tools to run cooperation, development, financing, operations, integrations, and market-making. Seen from one angle, this is efficiency; from another, it becomes an attack surface.

V. Guidelines for Cryptocurrency Practitioners

For many cryptocurrency project teams, this is not just distant international political news, but one of the most realistic operational risks in this industry today. This is not an abstract security reminder, but a very real operational issue.

1. Employee Recruitment and Remote Management

The U.S. Department of Justice and FBI have already specified risks very concretely: North Korea-related IT personnel will use stolen or forged identities to seek remote positions at U.S. companies, and they receive equipment sent by the companies through computer interception points within the U.S., then remotely access the company network. For startup teams in the cryptocurrency industry, any positions that touch code repositories, production environments, wallets, deployment processes, financial backends, or identity authentication data can no longer depend solely on resumes and delivered results.

At a minimum, three things must be done:

First, identity verification should be cross-checked; it's not enough to rely solely on professional social platforms, video interviews, and a passport photo.

Second, sensitive positions must use controlled devices; long-term tolerance of core business being handled by personal computers is unacceptable.

Third, permissions should default to the least privilege, especially for interns, outsourced personnel, and contract workers—do not give too many entry points right away, hoping to gradually retract permissions later.

2. Partner Identity Verification

One of the significant reminders from Drift’s incident for the industry is that having met offline, conversed smoothly online, asked professional questions, or even invested real money are no longer automatic signs of credibility.

A more pragmatic approach is that verification should not stop at business cards, official websites, and social media, but should also extend to checking the company registration information, historical project traces, real team members, and feedback from mutual acquaintances. If necessary, request verifiable institutional materials from the other party. The longer the engagement and the deeper the cooperation, the more risk control should be applied.

3. Upgrade Security Audits

Many teams still think of security audits as just smart contract audits, wallet management, multi-signature configurations, and on-chain monitoring. While those are all necessary, they are no longer sufficient.

Today, more focus should be on "human workflows." Who can download external code repositories, who has accessed multi-signature related devices, who can enter production environments, who triggers financial approvals, and whose terminals touch core permissions—many teams do not systematically cover these issues typically.

A practical approach would be to conduct at least quarterly audits of permissions and terminals: first review who can access multi-signature, who can view core code repositories, who can enter production environments, who has financial approval authority, and then isolate and check related devices for risks. Drift itself also reminded in its updates: evaluate the team, audit who has access to what, and treat every device that has touched multi-signature as a potential target.

4. Security Budget as Operational Cost

Many small teams are often the first to cut costs related to audits, risk management, process design, and terminal management, feeling it expensive, slow, and a hindrance to business progress. However, the characteristics of North Korea-related attacks over the past few years have shown a willingness to spend a long time and not low costs to exchange for high returns. For cryptocurrency industry practitioners who oversee substantial customer assets, this should serve as a loud wake-up call.

As the cryptocurrency industry has developed to today, people often like to ask one question: What has it ultimately changed?

Some may say it has changed payment; some may say it has changed asset issuance; some may say it has changed the way global capital flows.

However, if we include the North Korea angle in the discussion, we will find that it has at least changed one thing: it has provided a country, once bound by restrictions in the traditional financial system, with a tool that can operate long-term, cross borders, and continuously extract funds for the first time.

It has simply done so in the most direct and least dignified manner.