North Korea’s six-month Drift infiltration campaign has shaken a crypto industry already reeling from exploits worth billions of dollars.
But as the news set in, a bigger question arose: Why does North Korea keep returning to crypto, and why does its approach seem so different from every other state-backed hacking operation on the planet?
The short answer, according to security experts, is that crypto helps provide the regime with a source of revenue and keeps it afloat.
“North Korea does not have the luxury of patience,” said Dave Schwed, SVRN’s director of operations and founder of Yeshiva University’s cybersecurity master’s program. “They are subject to comprehensive international sanctions and require hard currency to finance their weapons programs. The UN and several intelligence agencies have confirmed that cryptocurrency theft is the primary mechanism for financing their nuclear and ballistic missile development.”
This urgency explains a dynamic that has long intrigued investigators: why North Korean hackers carry out large-scale, traceable thefts on public blockchains instead of discreetly using cryptography to evade sanctions as other state actors do.
According to Schwed, the answer is structural. Russia still has an economy: oil, gas, exports of raw materials and trading partners ready to use workarounds. It needs crypto as payment, but not for much else. Iran also has goods to move: sanctioned oil, proxy financing networks, willing intermediaries throughout the Middle East. North Korea has almost nothing left to sell.
“Their exports are almost completely sanctioned. They don’t have a functioning economy that needs a payment system. They need direct revenue,” Schwed said. “Crypto theft gives them immediate access to liquid value, on a global scale, without the need for a counterparty willing to do business with them.”
This distinction – crypto as infrastructure versus crypto as target – is what separates North Korea not only from Russia, but also from Iran. While Russia routes money through crypto to circumvent sanctions and Iran uses it to fund proxy networks across the Middle East, North Korea is running something closer to a state-sponsored heist operation.
“Their targets are exchanges, wallet providers, DeFi protocols and individual engineers and founders who have signing authority or access to infrastructure,” said Alexander Urbelis, head of information security at ENS Labs and professor of cybersecurity at King’s College London. “The victim is the one who holds the keys or access to the infrastructure that holds the keys.”
Russia and Iran, in comparison, view cryptography as incidental, a means to achieve broader geopolitical goals.
“Russia targets elections, energy infrastructure and government systems. Iran targets dissidents and regional adversaries,” Urbelis said. “When anyone touches crypto, it’s to move money, not to steal it from the ecosystem.”
This singular focus has pushed North Korean agents to adopt tactics more commonly associated with intelligence agencies than criminal hackers: building relationships over months, fabricated identities, and supply chain infiltration.
The Drift campaign is just the most recent example.
“You don’t defend yourself against a phishing email from a random scammer,” Urbelis said. “You’re defending yourself against someone who spent six months building a relationship specifically to compromise a person who has access that you need to protect.”
Crypto’s unique architecture makes it a particularly attractive hunting ground. In traditional finance, even successful hacks face friction in the form of compliance checks, correspondent banking checks, settlement delays and the ability to reverse fraudulent transfers. When North Korean hackers carried out the Bangladesh Bank heist in 2016, the heist took several days to process and most of the funds were eventually recovered or blocked. In cryptography, none of these guarantees exist at the protocol level.
“Once a transaction is signed and confirmed, it is final,” Urbelis said. The Bybit exploit from early last year moved $1.5 billion in about 30 minutes, a pace and scale that would be nearly impossible in the traditional banking system.
This purpose fundamentally changes the calculation of security. In banking, a reasonable defense can be built through prevention, detection and response, as there is always a window to freeze funds or cancel a transfer. In cryptography, this window barely exists, meaning that stopping an attack before it happens isn’t just preferable — it’s essentially the only option.
And while banks operate under decades of regulatory guidelines and auditing requirements, many crypto projects are still improvising – often prioritizing speed and innovation over governance and controls.
This gap creates an environment in which even sophisticated teams can be vulnerable, particularly against the type of long-term infiltration tactics that North Korea is refining.
“This is the most difficult operational security problem in crypto right now,” Urbelis said of the challenge of combating sophisticated fake identities and third-party intermediaries. “I don’t think the industry has solved the problem.”
Read more: How North Korea’s 6-month secret spy program is causing the crypto community to rethink security
