North Korea’s six-month infiltration campaign into Drift shook a crypto industry already reeling from multi-billion dollar exploits.
But as the news spread, a bigger question arose: why does North Korea keep returning to cryptocurrencies in the first place, and why does its approach seem so different from any other state-backed hacking operation on the planet?
The short answer, according to security experts, is that cryptocurrencies help give the regime a revenue stream and keep it afloat.
“North Korea does not have the luxury of patience,” said Dave Schwed, chief operating officer of SVRN and founder of Yeshiva University’s cybersecurity master’s program. “They are under comprehensive international sanctions and need hard currency to fund weapons programs. The UN and multiple intelligence agencies have confirmed that cryptocurrency theft is a primary funding mechanism for their nuclear and ballistic missile development.”
That urgency explains a dynamic that has long puzzled researchers: why North Korean hackers carry out large-scale traceable heists on public blockchains instead of quietly using cryptocurrencies to evade sanctions as other state actors do.
The answer, Schwed maintains, is structural. Russia still has an economy: oil, gas, raw material exports and trading partners willing to use alternative solutions. You need cryptocurrencies as a means of payment, but not for much else. Iran also has goods to transport: sanctioned oil, indirect financing networks, and willing middlemen throughout the Middle East. North Korea has almost nothing left to sell.
“Their exports are almost completely sanctioned. They don’t have a functional economy that needs a payment system. They need direct income,” Schwed said. “Stealing cryptocurrencies gives them immediate access to liquid value, globally, without needing a counterparty willing to do business with them.”
That distinction (crypto as infrastructure versus crypto as target) is what separates North Korea not only from Russia, but also from Iran. While Russia sends money via cryptocurrency to avoid sanctions, and Iran uses it to fund proxy networks across the Middle East, North Korea is running something closer to a state-sponsored heist operation.
“Their targets are exchanges, wallet providers, DeFi protocols, and individual engineers and founders who have signing authority or access to the infrastructure,” said Alexander Urbelis, chief information security officer at ENS Labs and professor of cybersecurity at King’s College London. “The victim is the one who owns the keys or accesses the infrastructure that owns the keys.”
Russia and Iran, by comparison, treat cryptocurrencies as incidental, a means to broader geopolitical ends.
“Russia targets elections, energy infrastructure and government systems. Iran goes after dissidents and regional adversaries,” Urbelis said. “When any of them touch cryptocurrencies, it is to move money, not to steal it from the ecosystem.”
That singular focus has pushed North Korean agents to adopt tactics more commonly associated with intelligence agencies than criminal hackers: months-long relationship building, fabricated identities and supply chain infiltration.
The Drift campaign is just the most recent example.
“You’re not defending yourself against a phishing email from a random scammer,” Urbelis said. “You’re defending yourself against someone who spent six months building a relationship specifically to compromise a person who has access you need to protect.”
Crypto’s own architecture makes it an exceptionally attractive hunting ground. In traditional finance, even successful hacks run into friction in the form of compliance checks, correspondent banking checks, settlement delays, and the ability to reverse fraudulent transfers. When North Korean hackers carried out the Bangladesh Bank heist in 2016, the heist took days to process and most of the funds were eventually recovered or blocked. In cryptography, none of those safeguards exist at the protocol level.
“Once a transaction is signed and confirmed, it is final,” Urbelis said. The Bybit exploit early last year moved $1.5 billion in about 30 minutes, a pace and scale that would be nearly impossible in the traditional banking system.
That purpose fundamentally changes the security calculus. In banking, a reasonable defense can be built through prevention, detection and response, because there is always a window to freeze funds or reverse a transfer. In cryptography, that window barely exists, which means that stopping an attack before it happens is not only preferable: it’s essentially the only option.
And while banks operate under decades of regulatory guidance and audit requirements, many crypto projects are still improvising, often prioritizing speed and innovation over governance and controls.
That gap creates an environment in which even sophisticated equipment can be vulnerable, particularly to the kind of long-term infiltration tactics that North Korea has been honing.
“This is the most difficult operational security problem in crypto right now,” Urbelis said of the challenge of investigating sophisticated fake identities and third-party intermediaries. “I don’t think the industry has figured it out.”
Read more: How North Korea’s six-month secret spy program is making the crypto community rethink security
