North Korea’s recent six-month infiltration of Drift stunned an already bruised crypto sector — not just because of the scale, but because it exposed a disturbing pattern: Pyongyang keeps returning to crypto, openly stealing billions, and it does so in a way that looks nothing like other state-backed cyber campaigns.
Why crypto? Security experts say the explanation is simple and brutal: cash. Under crushing international sanctions, the regime has few legitimate export revenues left. Crypto provides rapid, global liquidity that doesn’t require willing trading partners or conventional markets. Dave Schwed, COO of SVRN, notes that North Korea “doesn’t have the luxury of patience” — and that UN and intelligence agencies have tied crypto theft directly to funding of the country’s nuclear and ballistic missile programs.
That need for immediate hard currency explains why North Korea treats crypto as a target, not merely a payment rail. Contrast this with Russia and Iran: those states still have commodities and trade relationships they can route through crypto to skirt sanctions. North Korea’s economy, by contrast, is largely cut off, so its operators focus on stealing crypto assets themselves.
The operational differences are stark. Rather than hacking for espionage or political disruption, North Korean units run what look like state-sponsored heists. Their targets: exchanges, custodial wallet providers, DeFi protocols, and the individual engineers or founders who control signing keys and infrastructure access. As Alexander Urbelis, CISO at ENS Labs, puts it, “the victim is whoever holds the keys.”
Their tradecraft borrows from intelligence services more than garden-variety cybercrime. Investigations into the Drift compromise show months-long relationship-building, fabricated identities, and supply-chain infiltration designed to get one specific person or system to grant access. “You’re not defending against a random phishing email,” Urbelis says. “You’re defending against someone who spent half a year cultivating a relationship to compromise a single access point.”
Crypto’s technical and institutional features make it especially attractive. Unlike traditional banking, where compliance checks, settlement windows, correspondent banks and reversal mechanisms can stall and sometimes recover illicit transfers (see the Bangladesh Bank attempt in 2016), public blockchains finalize transactions: once signed and confirmed, they’re irreversible. That allows stolen funds to be moved at blistering speed — analysts note the Bybit exploit last year shifted roughly $1.5 billion in about 30 minutes — a tempo nearly impossible in legacy finance.
That finality reshapes defenses. In banking, detection and response can still stop or unwind a theft. In crypto, the window to act is tiny, so prevention becomes the only realistic option. Yet many projects still prioritize speed and innovation over governance, leaving gaps in controls and vetting that well-resourced actors can exploit.
The industry’s hardest unsolved problem, according to Urbelis, is operational security against sophisticated fake identities and third-party intermediaries. Even highly capable teams can be vulnerable to months-long social engineering and supply-chain attacks — and the current tooling, processes and governance aren’t keeping pace.
The takeaway for the crypto sector is clear: attackers that treat blockchains as targets rather than rails will keep coming, and the only durable defense is rigorous prevention — better identity and third-party vetting, tighter custody controls, mature governance and threat-hunting that assumes adversaries will invest months to breach a single access point. As the Drift case shows, the threat is state-level, well-funded, and unapologetically focused on converting digital keys to hard currency. The industry needs to act like that is the new normal.
Read more AI-generated news on: undefined/news
