Over six months, North Korea executed a sophisticated infiltration of Drift, unsettling an already beleaguered cryptocurrency sector. This incident prompts deeper questions about the regime’s persistent return to crypto heists and its unique approach compared to other state-backed cyber operations globally.
Security experts suggest that cryptocurrencies provide a crucial revenue stream for the regime, especially under stringent international sanctions. Dave Schwed, COO at SVRN and founder of Yeshiva University’s cybersecurity program, highlights the urgency: “North Korea is under comprehensive international sanctions and needs hard currency to support its weapons programs.” Intelligence agencies have verified that crypto theft is central to funding their nuclear and ballistic missile projects.
This urgency explains why North Korean hackers opt for large-scale heists on public blockchains. Unlike other state actors who use cryptocurrencies discreetly, North Korea’s strategy involves direct attacks, given their limited economic resources. Schwed notes, “North Korea has almost nothing left to sell. Their exports are largely sanctioned.” As a result, they rely on crypto theft for immediate access to liquid value without needing business partners.
This approach distinguishes North Korea from countries like Russia and Iran, which use cryptocurrency as infrastructure or for indirect funding of geopolitical goals. Alexander Urbelis, CISO at ENS Labs and cybersecurity professor at King’s College London, explains that “North Korean hackers target exchanges, wallet providers, DeFi protocols, and individuals with key access.” This focus contrasts with Russia’s targeting of elections and Iran’s attacks on dissidents.
The Drift campaign exemplifies North Korea’s advanced tactics, which include relationship building and supply chain infiltration, more akin to intelligence agencies than traditional cybercriminals. Urbelis emphasizes the complexity: “You’re defending against a six-month-long orchestrated effort to compromise one person with crucial access.”
Crypto’s architecture makes it an attractive target due to its lack of friction compared to traditional finance. Unlike banking systems that have compliance checks and reversals, crypto transactions are irreversible once confirmed. The Bybit exploit demonstrated this, moving $1.5 billion in 30 minutes—a feat nearly impossible in conventional banks.
This finality shifts the security focus entirely towards prevention, as response windows in crypto are minimal. Additionally, many crypto projects lack regulatory oversight compared to traditional banks, leading to vulnerabilities that sophisticated attackers can exploit through long-term infiltration tactics.
Urbelis calls this operational security challenge significant: “Vetting against advanced fake identities and intermediaries remains unsolved.” This gap underscores the need for improved security measures within the cryptocurrency industry.