Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Cryptocurrency Hacking: Unraveling the Complex Web of North Korea's Six-Month Operation


North Korea has been linked to a six-month hacking operation that stole $285 million from Drift, a cryptocurrency protocol. The attack highlights the sophistication of North Korea's state-affiliated actors and raises concerns about the vulnerability of crypto projects.

  • A six-month intelligence operation by North Korea's state-affiliated actors was behind a hack of Drift, a cryptocurrency protocol.
  • The attack resulted in the theft of roughly $285 million from Drift's storage pools.
  • This is part of a larger pattern of cryptocurrency theft by North Korea as a consistent funding mechanism for years.
  • The attack utilized a sophisticated approach combining private key access and asset collateralization beyond normal limits.
  • The incident highlights the need for projects like Drift to prioritize operational security and adopt best practices to prevent similar breaches.



    • In a recent exposé, it has been revealed that a six-month intelligence operation run by a criminal hacking group connected to the North Korean regime was behind a hack of Drift, a cryptocurrency protocol for perpetual futures trading on Solana. The attack, which pulled roughly $285 million out of Drift's storage pools, utilized a sophisticated approach that combined private key access with the ability to issue or collateralize assets far beyond normal limits.

    The operation, attributed to North Korea's state-affiliated actors, is part of a larger pattern of cryptocurrency theft as a consistent funding mechanism for years. Past major incidents include the 2022 Ronin Network drain of more than $600 million and repeated exchange compromises. In 2025, the regime's hackers set a new annual record by stealing $2.02 billion.

    The hack on Drift was carried out over an extended period, starting in mid-March 2026. The attackers first moved money through a mixing service called Tornado Cash to hide their tracks and set up special accounts that allowed them to prepare certain transactions in advance. On March 27, Drift's security team switched to a new approval system that needed only two out of five key holders to sign off on major changes and removed any built-in waiting period that might have triggered an alert.

    The hackers then created 750 million brand-new fake tokens called CarbonVote Token, or CVT. They manipulated trading activity so Drift's price-checking tools treated these worthless tokens as legitimate, high-value collateral that could back huge withdrawals. This allowed them to add the fake token to the platform, raise borrowing limits, dump hundreds of millions of the phony tokens into the system, and drain real assets through 31 fast withdrawals.

    The entire process took around 12 minutes. The attackers quickly swapped the stolen funds into USDC on a Solana exchange and moved everything over to the Ethereum network to cover their tracks. Forensics pointed to three potential vectors for the private key compromise involved in the attack: one contributor may have cloned a code repository that exploited a known VSCode or Cursor vulnerability allowing silent arbitrary code execution; a second was persuaded to download a TestFlight app framed as the firm's wallet product; and a third vector remains under active review by law enforcement.

    The Drift team's culpability in the incident has been questioned, with some highlighting the lack of stricter compartmentalization between development environments and signing keys. This criticism is compounded by the fact that hundreds of millions were being handled by the protocol and it was known that crypto is full of hackers. The more the author sat on this story, the more they couldn't help but think that Drift Protocol was dealing with a civil negligence issue.

    However, security researchers have warned that a genuine six-month intelligence campaign of this caliber suggests similar operations could already be underway against other projects. The level of patience and resource investment implies that actors did not limit themselves to a single target. North Korea has relied on cryptocurrency theft as a consistent funding mechanism for years, and past major incidents include the 2022 Ronin Network drain of more than $600 million and repeated exchange compromises.

    In 2025, the regime's hackers set a new annual record by stealing $2.02 billion. The combination of smoke and mirrors, remote collaboration, and high financial stakes in crypto creates conditions where determined, sophisticated groups, including intelligence agencies, can invest months in building trust before striking. And when hundreds of millions or even billions are potentially available, actors will pursue attacks through extensive, exhaustive means.

    The data also clearly shows that criminal use of crypto is on the rise, as both illicit transfers and physical attacks on known crypto holders hit new all-time highs last year. As the cryptocurrency landscape continues to evolve, it is essential for projects like Drift to prioritize operational security and adopt best practices to prevent such breaches in the future.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Cryptocurrency-Hacking-Unraveling-the-Complex-Web-of-North-Koreas-Six-Month-Operation-ehn.shtml

  • https://gizmodo.com/crypto-project-details-alleged-6-month-north-korean-intel-op-behind-285-million-hack-2000741330

  • https://beincrypto.com/drift-north-korea-spy-operation-hack/


    • Published: Tue Apr 7 05:36:51 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us