This month’s $285 million exploit on Drift, a decentralized exchange (DEX), was the largest crypto hack in over a year, when exchange Bybit lost $1.4 billion. North Korean state-backed hackers were named as prime suspects in both attacks.
This past autumn, attackers posed as a quantitative trading firm and approached Drift’s protocol team in person at a major crypto conference, said Drift in an X post Sunday.
“It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors, in person, at multiple major industry conferences in multiple countries over the following six months,” said the DEX.
Until now, North Korean cyber spies have targeted crypto firms online, through virtual calls and remote work. An in-person approach at a conference would not typically raise suspicion, but the Drift exploit should be enough for attendees to review connections made at recent events.
North Korea expands crypto playbook beyond hacks
Blockchain forensics firm TRM Labs described the incident as the largest DeFi hack of 2026 (so far) and the second-largest exploit in Solana’s history, just behind the $326 million Wormhole bridge hack in 2022.
The initial contact dates back about six months, but the exploit itself traces to mid-March, according to TRM. The attacker began by moving funds from Tornado Cash and deploying the CarbonVote Token (CVT), while using social engineering to persuade multisig signers to approve transactions that granted elevated permissions.
They then manufactured credibility for CVT by minting a large supply and inflating trading activity to simulate real demand. Drift’s oracles picked up the signal and treated the token as a legitimate asset.
When the pre-approved transactions were executed on April 1, CVT was accepted as collateral, withdrawal limits were increased and funds were withdrawn in real assets, including USDC.
Related: North Korean spy slips up, reveals ties in fake job interview
According to TRM, the speed and aggressiveness of the subsequent laundering exceeded that seen in the Bybit hack.
North Korea is widely believed to be using large-scale crypto thefts such as the Drift and Bybit attacks alongside longer-term tactics, including placing operatives in remote roles at tech and crypto firms to generate steady income. The United Nations Security Council has said such funds are used to support the country’s weapons program.
Security researcher Taylor Monahan said infiltration of DeFi protocols dates back to “DeFi summer,” adding that around 40 protocols have had contact with suspected DPRK operatives.
North Korean state media reported Thursday that the country tested an electromagnetic weapon and a short-range ballistic missile, known as the Hwasong-11, fitted with cluster munition warheads.
Infiltration network fuels steady crypto revenue
A separate investigation revealed how a network of North Korea-linked IT workers generated millions through prolonged infiltration.
Data obtained from an anonymous source shared by ZachXBT showed the network posing as developers and embedding themselves across crypto and tech firms, generating roughly $1 million a month and more than $3.5 million since November.
The group secured jobs using falsified identities, routed payments through a shared system, then converted funds to fiat and sent them to Chinese bank accounts via platforms such as Payoneer.
Related: Are you a freelancer? North Korean spies may be using you
The operation relied on basic infrastructure, including a shared website with a common password and internal leaderboards tracking earnings.
The agents applied for roles in plain sight using VPNs and fabricated documents, pointing to a longer-term strategy of embedding operatives to extract steady revenue.
Defenses evolve as infiltration tactics spread
Cointelegraph encountered a similar scheme in a 2025 investigation led by Heiner García, who spent months in contact with a suspected operative.
Cointelegraph later took part in García’s dummy interview with a suspect who went by “Motoki,” who claimed to be Japanese. The suspect rage quit the call after failing to introduce himself in his supposed native dialect.
The investigation found operatives bypassed geographic restrictions by using remote access to devices physically located in countries such as the US. Instead of VPNs, they operated those machines directly, making their activity appear local.
By now, tech headhunters have realized that the person at the other end of a virtual job interview may indeed be a North Korean cyber spy. A viral defence strategy is to ask suspects to insult Kim Jong Un. So far, the tactic has been effective.
However, as Drift was approached in person and García’s findings showed operatives finding creative methods to bypass geographic restrictions, North Korean actors have continued to adapt to the cat-and-mouse dynamic.
Requesting interviewees to call North Korea’s supreme leader a “fat pig” is an effective strategy for the time being, but security researchers warn that this won’t work forever.
