Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
North Korean Hackers Are Now Meeting Crypto Developers at Conferences. The Drift Protocol Case Shows How
-
The most alarming evolution documented in the North Korean crypto threat landscape is the shift from purely remote operations to physical infiltration — and the Drift Protocol case provides the most detailed public account of how that works in practice. In April 2025, DPRK-affiliated technology workers met the Drift Protocol development team at a "major" cryptocurrency industry conference and spent six months building a genuine working relationship with the team before deploying the malware that caused $280 million in losses. The Drift team's disclosure contained a detail that should reshape how every crypto project thinks about new hires and conference relationships: "The individuals who appeared in person were not North Korean nationals." DPRK threat actors operating at this level use third-party intermediaries for face-to-face relationship building — people who are not themselves North Korean but are working on behalf of North Korean intelligence operations — making nationality-based screening useless as a defense mechanism.
The Ethereum Foundation's April identification of 100 DPRK-backed hackers and threat actors who had infiltrated crypto projects confirms that the Drift case was not an isolated incident but a documented operational pattern.The same month, onchain investigator ZachXBT documented a separate group of North Korean IT workers generating $1 million per month working at technology companies under false identities — a parallel revenue stream that combines legitimate employment income with insider access to company systems and credentials. The combination of remote IT worker infiltration, conference-based relationship building using intermediaries, and technical exploitation of the resulting trusted access represents a multi-layered attack strategy that no single security measure can address. Physical presence at a conference with a credible colleague, six months of professional relationship, and technical competence that passes hiring screening are exactly the trust signals that security culture is designed to respond to positively — which is what makes this attack vector so effective and so difficult to defend against.
-
100 DPRK-backed actors identified in crypto projects confirming Drift was documented pattern not isolated incident
-
$1M monthly from fake IT workers
