North Korea’s six-month infiltration campaign at Drift rattled a crypto industry already plagued by billion-dollar businesses.
But as the news settled in, a bigger question came into focus: why does North Korea keep returning to crypto in the first place, and why does its approach look so different from every other state-sponsored hacking operation on the planet?
The short answer, according to security experts, is that crypto helps provide the regime with a revenue stream and keep them afloat.
“North Korea does not have the luxury of being patient,” said Dave Schwed, chief operating officer at SVRN and the founder of the cybersecurity master’s program at Yeshiva University. “They are under extensive international sanctions and they need hard currency to fund weapons programs. The UN and multiple intelligence agencies have confirmed that crypto-theft is a primary funding mechanism for their nuclear and ballistic missile development.”
It is urgent to explain a dynamic that has long puzzled investigators: why North Korean hackers carry out large-scale, traceable heists on public blockchains instead of quietly using crypto to evade sanctions as other state actors do.
The answer, Schwed argues, is structural. Russia still has an economy: oil, gas, commodity exports and trade partners willing to use solutions. It needs crypto as a payment rail, but not for much else. Iran also has goods to move – sanctioned oil, proxy financing networks, willing intermediaries throughout the Middle East. North Korea has almost nothing left to sell.
“Their exports are almost completely sanctioned. They don’t have a functioning economy that needs a toll rail. They need direct revenue,” Schwed said. “Crypto theft gives them instant access to liquid value, globally, without needing a counterparty willing to trade with them.”
This distinction—crypto as infrastructure versus crypto as target—is what separates North Korea not only from Russia, but also from Iran. While Russia funnels money through crypto to circumvent sanctions, and Iran uses it to fund proxy networks throughout the Middle East, North Korea moves something closer to a state-sponsored heist.
“Their targets are exchanges, wallet providers, DeFi protocols and the individual engineers and founders who have signing authority or infrastructure access,” said Alexander Urbelis, head of information security at ENS Labs and professor of cybersecurity at King’s College London. “The victim is whoever is in possession of the keys or access to the infrastructure that holds the keys.”
Russia and Iran, by comparison, treat crypto as incidental, a means to broader geopolitical ends.
“Russia is targeting elections, energy infrastructure and government systems. Iran is going after dissidents and regional opponents,” Urbelis said. “When one of them touches crypto, it’s to move money, not to steal it from the ecosystem.”
This singular focus has pushed North Korean operatives to adopt tactics more commonly associated with intelligence agencies than criminal hackers: months of relationship building, fabricated identities and supply chain infiltration.
The drift campaign is just the latest example.
“You don’t defend against a phishing email from a random scammer,” Urbelis said. “You’re defending yourself against someone who spent six months building a relationship specifically to compromise someone who has the access you need to protect.”
Crypto’s own architecture makes it a uniquely attractive hunting ground. In traditional finance, even successful hacks run into friction in the form of compliance checks, correspondent bank checks, settlement delays and the ability to reverse fraudulent transfers. When North Korea’s hackers pulled off the Bangladesh Bank robbery in 2016, the robbery took days to process and most of the funds were eventually recovered or blocked. In crypto, none of these security measures exist at the protocol level.
“Once a transaction is signed and confirmed, it’s final,” Urbelis said. The Bybit exploit earlier last year moved $1.5 billion in about 30 minutes, a pace and scale that would be nearly impossible in the traditional banking system.
That finality fundamentally changes the security calculus. In banking, a reasonable defense can be built across prevention, detection and response because there is always a window to freeze money or reverse a wire. In crypto, that window barely exists, meaning stopping an attack before it happens isn’t just preferable — it’s essentially the only option.
And while banks operate under decades of regulatory guidance and audit requirements, many crypto projects are still improvising — often prioritizing speed and innovation over governance and control.
This gap creates an environment where even sophisticated teams can be vulnerable, especially to the kind of long-term infiltration tactics North Korea has refined.
“This is the most difficult operational security problem in crypto right now,” Urbelis said of the challenge of controlling sophisticated fake identities and third-party intermediaries. “I don’t think the industry has solved it.”
Read more: How North Korea’s 6-Month Secret Spying Program Is Making the Crypto Community Rethink Security
