Headline: Why North Korea keeps coming back to crypto — and why its hacks look different from other state-backed attacks
North Korea’s six‑month infiltration of Drift shook an industry still recovering from billion‑dollar exploits. But beyond the immediate fallout, security experts say a larger pattern is emerging: the regime repeatedly targets crypto not as a side gig, but as a direct, high‑value revenue stream.
Why crypto? Because North Korea needs liquid hard currency fast. “North Korea doesn't have the luxury of patience,” says Dave Schwed, COO at SVRN and founder of the cybersecurity masters program at Yeshiva University. Under sweeping international sanctions, the regime lacks normal export revenue and — according to the UN and multiple intelligence agencies — has turned crypto theft into a primary funding mechanism for its nuclear and missile programs. Unlike other sanctioned states, Pyongyang can’t rely on commodity exports or willing trading partners; it needs cash it can move globally without intermediaries.
That explains a striking distinction in state‑backed cyber operations: for Russia and Iran, crypto often functions as a payments rail — useful for moving money or supporting proxies — but it’s incidental to broader geopolitical goals. North Korea treats crypto as the target itself. “Their targets are exchanges, wallet providers, DeFi protocols and the individual engineers and founders who have signing authority,” says Alexander Urbelis, CISO at ENS Labs and a King’s College London cybersecurity professor. “The victim is whoever holds the keys.”
This focus changes how the attackers operate. North Korean campaigns increasingly resemble classic intelligence tradecraft: months of relationship building, forged identities, and supply‑chain infiltration designed to compromise a single person or system with key access. The Drift operation, which took roughly half a year to execute, is the latest example. “You're not defending against a phishing email from a random scammer,” Urbelis says. “You're defending against someone who spent six months building a relationship specifically to compromise one person.”
Crypto’s technical properties make it an especially attractive pickpocketing ground. Unlike centralized banking — where transfers can be delayed, blocked, reversed, or traced through correspondent banks and compliance checks — blockchain transactions are final once signed and confirmed. That finality lets nimble, well‑prepared attackers move large sums quickly: the article points to an exploit that shifted $1.5 billion in roughly 30 minutes as an example of how fast laundering can happen on‑chain. By contrast, the 2016 Bangladesh Bank robbery illustrates the opposite dynamic: traditional banking frictions bought time for recovery and blocking of stolen funds.
Compounding the technical advantage is a governance gap across many crypto projects. Where banks operate under long‑standing regulatory controls and audit regimes, numerous crypto teams still prioritize speed and product innovation over mature governance and operational security. That creates openings even for sophisticated defenders, especially against long‑term infiltration and convincing fake identities. “This is the hardest operational security problem in crypto right now,” Urbelis warns. “I don't think the industry has solved it.”
The takeaway for the sector is stark: while other states use crypto as a tool, North Korea treats it as a cash cow — and their patient, intelligence‑style methods exploit crypto’s finality and governance weaknesses. Addressing that threat will require stronger identity vetting, tighter supply‑chain security, and defensive strategies that assume attackers can — and will — invest months to compromise a single critical target.
Read more AI-generated news on: undefined/news
