North Korean cyber spies are not the only remote threat

This month's $285 million exploit of Drift, a decentralized exchange (DEX), was the biggest crypto hack in more than a year, with exchange Bybit losing $1.4 billion. North Korean state-sponsored hackers have been named as prime suspects in both attacks.

Last fall, attackers posing as a digital trading firm approached the Drift Protocol team at a major crypto conference in person, Drift said on XPost on Sunday.

“Now understood to be a targeted approach, individuals in this group continue to physically seek out and engage specific Drift contributors at several major industry conferences in multiple countries over the next six months,” DEX said.

So far, North Korean cyber spies have targeted online crypto companies through virtual calls and remote operations. An in-person presentation at a conference would not normally raise suspicion, but the Drift exploit should be sufficient to assess participants' interactions at recent events.

North Korea Expands Crypto Playbook Beyond Hacks

Blockchain forensics firm TRM Labs described the event as the biggest DeFi hack of 2026 (so far) and the second biggest exploit in Solana history, behind the $326 million wormhole bridge hack in 2022.

The first contact is six months ago, but the exploitation is until mid-March, in TRM. The attacker began by transferring funds from TornadoCash and deploying the Carbon Vote Token (CVT), using social engineering to convince multisig signers to approve transactions with higher permissions.

They then created credibility for the CVT by setting up a high supply and increasing marketing activity, feigning genuine demand. The Oracles of Drift picked up the mark and claimed the token as legitimate property.

When pre-approved transactions took place on April 1, CVTs were accepted as collateral, withdrawal limits were increased and funds were held in real assets, including USDC.

RELATED: North Korean spy slips up, reveals connection in fake job interview

According to TRM, the speed and ferocity of the subsequent laundry is greater than that seen in the Bybit hack.

North Korea is widely believed to be using large-scale crypto thefts with long-term tactics, such as the Drift and Bybit attacks. The United Nations Security Council said such funds would be used to support the country's weapons program.

Security researcher Taylor Monahan added that infiltration of DeFi protocols began during the “winter of DeFi,” adding that about 40 protocols were linked to suspected DPRK operators.

North Korean state media reported Thursday that the country had tested an electromagnetic device and a short-range ballistic missile known as the Hwasong-11 equipped with cluster warheads.

A hacked network fuels steady crypto income.

A separate investigation revealed how a network of IT workers linked to North Korea generated millions through long-term hacking.

Information from an anonymous source shared by ZachXBT revealed that the network, posing as a developer and embedding itself in crypto and tech firms, earns close to $1 million per month and more than $3.5 million as of November.

The group verified jobs using fake identities, routed payments through a shared system, then converted funds into fiat and sent them to Chinese bank accounts through platforms such as Payoneer.

Related: Are You a Libertarian? North Korean spies may be using you.

The operation relies on basic infrastructure including a shared website with a shared password and an internal leaderboard to track revenue.

The agents pointed to a long-term strategy of engaging operators to generate steady income, using VPNs and creative documents for a role in Open View.

Defenses improve as intrusion methods expand

Cointelegraph spent months with a suspect in the investigation led by Heiner García in 2025.

Cointelegraph later participated in a mock interview with Garcia, a suspect who goes by the name “Motoki” and claims to be Japanese. The suspect got angry, failed to introduce himself in his native language and ended the call.

According to the investigation, the operators bypassed geographic restrictions by using remote access to devices physically located in countries such as the US. Instead of a VPN, they run those machines directly, making their operations look local.

Today, tech headhunters are realizing that the person on the other end of a virtual job interview may actually be a North Korean cyber spy. Anti-virus strategy is to ask suspects to insult Kim Jong Un. So far, the strategy has been effective.

But North Korean actors continue to adapt to cat-and-mouse dynamics as drift becomes more physical, and Garcia's findings suggest that operators find creative ways to bypass geographic restrictions.

Asking interviewees to refer to North Korea's top leader as a “fat pig” is an effective strategy for the time being, but security researchers warn that it won't work forever.

Magazine: Phantom Bitcoin Checks, China Tracks Tax Blockchain: Asia Express

Cointelegraph Features publishes long-form journalism, analysis and narrative reporting by Cointelegraph's in-house editorial team with subject matter expertise. All articles are edited and reviewed by Cointelegraph editors in accordance with our editorial standards. The research or opinions in this article do not necessarily reflect the views of Cointelegraph as a company unless expressly stated. Content published in Features does not constitute financial, legal or investment advice. Readers should conduct their own research and consult qualified professionals when appropriate. Cointelegraph maintains full editorial independence. The selection, mission and publication of features and magazine content are not influenced by advertisers, partners or commercial relationships. This content is prepared in accordance with Cointelegraph's Editorial Policy.