Author: Chloe, ChainCatcher

Last week, the Solana lending protocol Drift was attacked by hackers, resulting in approximately $285 million in user assets being stolen. According to official statements, this was not a typical smart contract vulnerability attack, but rather a six-month-long, meticulously planned social engineering attack by state-level hackers.

There is even investigative evidence suggesting that the same group of threat actors may have already infiltrated the core development of multiple DeFi protocols, not as attackers, but as contributors.

It is common for North Korean hackers to infiltrate targets early, but rarely do they invest large sums of money

According to the Drift incident declaration, the central strategy of the attackers was to “become part of the ecosystem.”

Starting in the fall of 2025, they posed as a quantitative trading company and began engaging with the core contributors of Drift at major cryptocurrency industry conferences. This engagement was not a one-time occurrence but rather numerous interactions spanning different countries and multiple conferences, deliberately managed over six months. These individuals were technically proficient, with verifiable backgrounds, and had a thorough understanding of how Drift operated.

Moreover, they did not limit themselves to communicating solely with Drift's core members. The team also exploited the open mechanism of the Drift Ecosystem Vault, successfully listing their own vault as a legitimate trading company, depositing over $1 million of their own funds, participating in multiple working meetings, and asking in-depth product questions, thereby solidifying trust with the project team.

Blockchain technology expert Steven stated in an interview with ChainCatcher: “North Korean hackers often infiltrate targets early, which is a common practice, but investing large amounts of money as a basis of trust is rare. However, for the attackers, this $1 million is essentially a risk-free investment; as long as no attack is initiated, this money simply exists as normal funds in the vault and can be withdrawn at any time. Additionally, the actual operations are carried out by unaware third-party recruits, resulting in almost no economic loss to the organization itself.”

Furthermore, during their long-term collaboration with Drift, the team shared code projects and applications stored on GitHub under the pretense of demonstrating their own development tools. Given the circumstances at the time, it was completely normal for collaborating parties to review each other’s code. However, subsequent investigations by Drift uncovered that a GitHub code project copied by one contributor contained malicious code, while another contributor was tricked into downloading a TestFlight application disguised as a wallet product.

The reason why this pathway through code projects is difficult to guard against is that it is fully embedded in the developers' everyday workflow. Developers typically use code editors like VSCode or Cursor while writing code, analogous to how engineers use Word, opening them daily.

The security research community discovered a critical vulnerability in these editors by the end of 2025: when developers opened code projects shared by others using them, malicious instructions hidden in the projects would automatically execute in the background, with the entire process remaining completely stealthy—no confirmation windows would pop up on the screen, no agreement clicks are required, and there are no warnings. Developers believed they were just “viewing the code,” but the computer was already implanted with a backdoor. Attackers exploited this vulnerability to hide malware within the daily operations of developers.

By the time the Drift attack occurred on April 1, all Telegram chat records of the attacker group and traces of all malware had been thoroughly erased, leaving a gap of $285 million.

Could Drift be just the tip of the iceberg?

According to an investigation by the emergency security response organization SEAL 911, this attack is attributed to the same group of threat actors responsible for the October 2024 Radiant Capital hacking incident. The links are based on on-chain fund flows (funds used to prepare and test this operation trace back to the Radiant attackers) and operational patterns (the personas deployed in this action have identifiable overlaps with known North Korean activities). The well-known security forensics company Mandiant, hired by Drift (now part of Google), previously attributed the Radiant incident to a North Korean state-linked organization UNC4736, but Mandiant has not yet officially attributed the Drift incident, with a complete forensic equipment analysis still ongoing.

Interestingly, the individuals personally attending the meetings were not North Korean nationals. Steven stated: “North Korean hackers should not be viewed as a typical hacking organization, but rather as an intelligence agency; they are a large organization with thousands of members and clearly defined roles. Among them, the North Korean hacker Lazarus in international security is officially known as APT38, and another affiliated organization Kimsuky is known as APT43.”

This explains why they can deploy real people offline. They establish companies overseas under various names, recruiting local personnel who may not even know who they are working for. “They might think they’ve joined a legitimate remote work company, and after a year, are sent to meet a client, with everything appearing normal, but behind it lies a hacking organization. When the judiciary comes to investigate, that person knows nothing.”

Now, Drift may just be the tip of the iceberg.

If the Drift incident reveals a single protocol's vulnerability, the subsequent investigations point to a larger issue: the same methods may have been operating throughout the entire DeFi ecosystem for years.

According to blockchain researcher Tayvano's investigation, since the rapid expansion of DeFi in 2020, code contributions associated with North Korean IT workers have spread across several well-known projects, including SushiSwap, THORChain, Harmony, Ankr, and Yearn Finance.

These personnel employ tactics similar to those in the Drift incident: using false identities to obtain development roles through freelancing platforms and direct contact, entering Discord channels, developer communities, and even attending developer conferences. Once inside the project, they contribute code, participate in development cycles, establish trust with teams, until they grasp the entire protocol architecture and seize opportunities to act.

Steven believes that in traditional intelligence agencies, they can even remain undercover for a lifetime, with subsequent generations continuing the tasks left unfinished by the previous ones. Web3 projects are of shorter duration, yield high returns, and the nature of remote work allows one person to hold multiple roles across projects, which is actually quite common in the Web3 industry and rarely raises suspicion.

“The North Korean hacker organization targets all Web3 projects, meticulously screening each one and gathering information on team members. They know more about the project than the project team itself.” Steven said. The reason Web3 has become a primary target is due to its substantial capital, lack of unified global regulation, and the prevalent nature of remote work causing the true identities of collaborators and employees to often be unverifiable. Furthermore, the relatively young age and lack of life experience among practitioners provide an ideal infiltration environment for North Korean intelligence agencies.

Hacker incidents are commonplace, and project teams can only sit and wait?

Looking back at major incidents in recent years, social engineering has always been a core tactic of North Korean hacker groups. Recently, Binance founder CZ published his memoir “Binance Life,” which recounts the incident in May 2019 when Binance was hacked for 7,000 bitcoins. According to CZ, the hackers first infiltrated the laptops of several employees through advanced viruses, then planted malicious instructions at the last step of the withdrawal process, stealing all 7,000 bitcoins from the hot wallet at 1 a.m. (then valued at about $40 million). CZ wrote that, based on the attack method, the hackers had likely been lurking within Binance's network for some time and highly suspected it was the work of North Korea's Lazarus, and they might have even bribed internal staff.

The 2022 Ronin Network incident is another classic case. Ronin is the sidechain behind the popular blockchain game Axie Infinity, responsible for handling all cross-chain transfers of in-game assets, with a massive amount of locked-up funds at the time. The attack originated when a developer received a high-paying job invitation that appeared to be from a well-known company. During the interview process, they downloaded a file containing malicious programs, allowing the attacker to gain internal system access and ultimately steal $625 million.

The method employed in the 2023 CoinsPaid incident was almost identical. CoinsPaid is a service provider that processes cryptocurrency payments; the attackers approached employees using a fabricated recruitment process, luring them into installing malware before breaching the system. More recent hacker tactics have become even more varied: forged video calls, hacked social accounts, and malicious programs disguised as conferencing software.

Victims receive seemingly normal Calendly meeting links, which lead them to install forged meeting applications, with the malware thereby stealing wallets, passwords, recovery phrases, and communication records. It is estimated that, using such tactics, North Korean hacker groups have stolen over $300 million.

At the same time, the final destination of the stolen funds is also worth noting. Steven stated that the stolen funds ultimately flow under the control of the North Korean government. Money laundering is executed by a specialized team within the organization, which opens mixers and creates accounts with fake identities across numerous exchanges, following a complete and complex process: the funds are laundered through mixers immediately after being stolen, exchanged for privacy coins, and then transferred across different DeFi projects, repeatedly circulating between exchanges and DeFi.

“The entire process is typically completed within 30 days, and the final funds end up in casinos in Southeast Asia, small exchanges that do not require KYC verification, and OTC service providers in Hong Kong and Southeast Asia, where they are then cashed out.”

So, in the face of this new threat model, where the opponents are not just attackers but also participants, how should the cryptocurrency industry respond?

Steven believes that project teams managing large sums of funds should employ professional security teams, establish dedicated security positions within their teams, and adhere strictly to security disciplines by all core members. It is especially important that development devices and devices responsible for financial signing are strictly physically isolated. He specifically mentioned that a key issue in the Drift incident was the cancellation of the time-lock buffer mechanism, “which should never be canceled at any time.”

However, he also acknowledged that if North Korean intelligence agencies really want to infiltrate deeply, it is difficult to completely identify them even with strict background checks. But bringing in security teams remains crucial. He suggests that project teams introduce blue teams (the defensive teams in cyber offense-defensive strategies), as blue teams not only assist in enhancing the security of devices and behaviors but also continuously monitor key nodes to identify anomalies promptly and react to attacks. “Relying solely on a project team's security capabilities is insufficient to withstand this level of attack.”

He also added that North Korea's cyber warfare capabilities rank among the top five in the world, right after the United States, Russia, China, and Israel. Facing such a level of opponent, simple code audits are far from enough.

Conclusion

The Drift incident demonstrates that the greatest threats facing DeFi today are not only market fluctuations and liquidity issues, but also necessitate vigilance against non-code vulnerabilities, as spies may lurk right among us.

When attackers are willing to spend six months and invest a million dollars to cultivate a relationship, traditional code auditing and security defenses are simply inadequate. Furthermore, current investigations suggest that this method may have been operating in multiple projects for years without detection.

Whether DeFi can maintain decentralization and openness is no longer the core issue; the real question is: can it fend off those well-packaged opponents while remaining open?

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。