North Korea’s six-month infiltration campaign at Drift rattled a crypto industry already reeling from billion-dollar exploits.
But as the news settled, a bigger question came into focus: why does North Korea keep coming back to crypto in the first place, and why does its approach look so different from every other state-backed hacking operation on the planet?
The short answer, according to security experts, is that crypto helps give the regime a revenue stream and keep them afloat.
“North Korea doesn’t have the luxury of patience,” said Dave Schwed, chief operating officer at SVRN and the founder of the cybersecurity masters program at Yeshiva University. “They’re under comprehensive international sanctions and they need hard currency to fund weapons programs. The UN and multiple intelligence agencies have confirmed that crypto theft is a primary funding mechanism for their nuclear and ballistic missile development.”
That urgency explains a dynamic that has long puzzled investigators: why North Korean hackers carry out large-scale, traceable heists on public blockchains instead of quietly using crypto to evade sanctions the way other state actors do.
The answer, Schwed argues, is structural. Russia still has an economy: oil, gas, commodity exports, and trading partners willing to use workarounds. It needs crypto as a payment rail, but not for much else. Iran, too, has goods to move — sanctioned oil, proxy financing networks, willing intermediaries across the Middle East. North Korea has almost nothing left to sell.
“Their exports are almost entirely sanctioned. They don’t have a functioning economy that needs a payment rail. They need direct revenue,” Schwed said. “Crypto theft gives them immediate access to liquid value, globally, without needing a counterparty willing to do business with them.”
That distinction — crypto as infrastructure versus crypto as a target — is what separates North Korea not just from Russia, but from Iran as well. While Russia routes money through crypto to work around sanctions, and Iran uses it to fund proxy networks across the Middle East, North Korea is running something closer to a state-sponsored heist operation.
“Their targets are exchanges, wallet providers, DeFi protocols and the individual engineers and founders who have signing authority or infrastructure access,” said Alexander Urbelis, chief information security officer at ENS Labs and a professor of cybersecurity at King’s College London. “The victim is whoever holds the keys or access to the infrastructure that holds the keys.”
Russia and Iran, by comparison, treat crypto as incidental, a means to broader geopolitical ends.
“Russia targets elections, energy infrastructure and government systems. Iran goes after dissidents and regional adversaries,” Urbelis said. “When either of them touches crypto, it’s to move money, not to steal it from the ecosystem.”
That singular focus has pushed North Korean operatives to adopt tactics more commonly associated with intelligence agencies than criminal hackers: months-long relationship building, fabricated identities and supply chain infiltration.
The Drift campaign is only the most recent example.
“You’re not defending against a phishing email from a random scammer,” Urbelis said. “You’re defending against someone who spent six months building a relationship specifically to compromise one person who has the access you need to protect.”
Crypto’s own architecture makes it a uniquely attractive hunting ground. In traditional finance, even successful hacks run into friction in the form of compliance checks, correspondent bank checks, settlement delays and the possibility of reversing fraudulent transfers. When North Korea’s hackers pulled off the Bangladesh Bank robbery in 2016, the heist took days to process and most of the funds were eventually recovered or blocked. In crypto, none of those safeguards exist at the protocol level.
“Once a transaction is signed and confirmed, it’s final,” Urbelis said. The Bybit exploit earlier last year moved $1.5 billion in roughly 30 minutes, a pace and scale that would be nearly impossible in the traditional banking system.
That finality fundamentally changes the security calculus. In banking, a reasonable defense can be built across prevention, detection and response, because there’s always a window to freeze funds or reverse a wire. In crypto, that window barely exists, which means stopping an attack before it happens isn’t just preferable — it’s essentially the only option.
And while banks operate under decades of regulatory guidance and audit requirements, many crypto projects are still improvising — often prioritizing speed and innovation over governance and controls.
That gap creates an environment where even sophisticated teams can be vulnerable, particularly to the kind of long-term infiltration tactics North Korea has been refining.
“This is the hardest operational security problem in crypto right now,” Urbelis said of the challenge of vetting against sophisticated fake identities and third-party intermediaries. “I don’t think the industry has solved it.”
Read more: How North Korea’s 6-month long secret espionage program has crypto community rethinking security