North Korean State Hackers Intensify Attacks on Crypto Industry, CrowdStrike Reports
Key Takeaways
- The Ethereum Foundation identified 100 DPRK-backed hackers who infiltrated crypto projects in April 2025, highlighting widespread state-sponsored targeting of the blockchain industry.
- Drift Protocol suffered $280 million in losses after DPRK-affiliated hackers met the team at a major crypto conference and built trust over six months before deploying malware.
- North Korean threat actors use third-party intermediaries rather than actual North Korean nationals to conduct face-to-face relationship-building with crypto companies.
- Blockchain investigator ZachXBT documented North Korean IT workers earning $1 million per month while embedded at technology companies.
- The incidents demonstrate an evolution in state-sponsored attacks combining social engineering, in-person meetings, and long-term infiltration strategies against cryptocurrency firms.
Rising Threat from DPRK-Affiliated Cybercriminals
State-sponsored hacking groups from North Korea are escalating their operations against cryptocurrency users and blockchain companies, according to a new report from CrowdStrike. These threat actors employ sophisticated cybersecurity attacks and social engineering tactics designed to steal digital assets and compromise sensitive industry information.
The findings underscore an evolving threat landscape where nation-state actors increasingly target the crypto sector through both remote infiltration and in-person relationship-building strategies.
Ethereum Foundation Identifies 100 DPRK Hackers
In April, the Ethereum Foundation, the organization responsible for overseeing development of the Ethereum ecosystem, identified 100 DPRK-backed hackers and threat actors who had successfully infiltrated various cryptocurrency projects. This discovery highlighted the scale and scope of North Korean state-sponsored operations within the blockchain industry.
While most of these threat actors operate as remote hires embedded within crypto companies, recent incidents demonstrate that some attackers are willing to establish face-to-face relationships to gain deeper access to their targets.
Drift Protocol Breach Results in $280 Million Loss
The Drift Protocol, a decentralized cryptocurrency exchange, fell victim to a sophisticated infiltration by DPRK-affiliated technology workers in April 2025. Unlike typical remote attacks, this breach involved threat actors who physically met with the Drift Protocol development team.
According to Drift Protocol's disclosure, the team first encountered the threat actors at a "major" cryptocurrency industry conference. Over the following six months, the attackers cultivated a working relationship with the development team, gaining trust and access to critical systems.
During this collaboration period, the hackers deployed malware that compromised Drift Protocol developer machines, ultimately resulting in $280 million in losses.
DPRK Operatives Use Third-Party Intermediaries
The Drift Protocol team emphasized an important detail about the attack: "It is important to note that the individuals who appeared in person were not North Korean nationals." Instead, the perpetrators utilized intermediaries to conduct face-to-face interactions.
"DPRK threat actors operating at this level are known to deploy third-party intermediaries to conduct face-to-face relationship-building," the Drift team explained in their post-incident analysis.
This tactic represents a sophisticated evolution in state-sponsored hacking operations, combining traditional social engineering with the use of proxy agents to avoid detection and establish legitimacy within the crypto community.
North Korean IT Workers Earning $1 Million Monthly
Also in April, blockchain investigator ZachXBT documented evidence of North Korean information technology workers who were collectively earning $1 million per month while employed at various technology companies. This revelation highlights how DPRK operatives successfully embed themselves within legitimate businesses to generate revenue for the regime.
These developments follow recent U.S. legal actions against "laptop farmers" connected to North Korean IT worker schemes, demonstrating increased government attention to this growing threat vector.
Implications for Crypto Security
The CrowdStrike report and recent incidents underscore the need for enhanced security protocols across the cryptocurrency industry. Companies must implement rigorous vetting procedures for both remote and in-person hires, while remaining vigilant about the possibility of long-term social engineering campaigns designed to establish trust before executing attacks.
As state-sponsored threats continue to evolve, the crypto sector faces mounting pressure to develop more sophisticated defense mechanisms against well-funded, patient adversaries willing to invest months in relationship-building before striking.
DISCLAIMER
This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments involve substantial risk and extreme volatility - never invest money you cannot afford to lose completely. The author may hold positions in the cryptocurrencies mentioned, which could bias the presented information. Always conduct your own research and consider consulting a qualified financial advisor before making any investment decisions.
About Arnas Bach
Blockchain Researcher & Developer | 8+ Years Crypto Market Experience
Seasoned cryptocurrency researcher and blockchain developer with deep expertise in protocol analysis, smart contract development, and market insights since 2017. Specializes in emerging blockchain technologies, DeFi ecosystems, and cryptocurrency market trends. Combines technical development skills with comprehensive market research to deliver actionable insights for the digital asset space.
