OpenAI Rolls Out Advanced Account Security for ChatGPT Users
OpenAI introduces Advanced Account Security for ChatGPT users, enhancing protection with passkeys.
Decrypt1 min read
The long con: How North Korean spies spent months in-person to drain $285 million from Drift
TL;DR
North Korean hackers executed a sophisticated $285 million exploit on Drift Protocol through unprecedented in-person social engineering tactics. They now account for over 76% of crypto losses this year, totaling nearly $600 million.
Key points
- North Korean hackers stole $285 million from Drift Protocol
- They account for over 76% of crypto losses this year
- The attack involved unprecedented in-person social engineering tactics
Mentioned in this story
Drift ProtocolTRMLabsDPRKLazarus
North Korean government-backed hackers are becoming more sophisticated, more precise and now account for more than 76% or nearly $600 million in crypto losses this year alone.
The $285 Drift Protocol exploit, for example, involved what TRMLabs describes as a long and “unprecedented in-person social engineering” attack. It included months of in-person meetings between North Korean proxies and Drift employees.
“North Korean proxies sitting across a table from protocol employees over a period of months. That is, to my knowledge, unprecedented in North Korea's crypto hacking campaign,” Ari Redbord, Global Head of Policy and Government Affairs at TRMLabs, told CoinDesk. “This is no longer just a remote keyboard operation.”
Ari’s comments accompany TRMLabs’ new report released Thursday, which highlights how North Korea’s two main hacking groups, DPRK and Lazarus, are responsible for 76% of all the crypto losses to hacks and exploits in 2026.
“What we are watching is not a North Korean campaign that is broader — it is one that is sharper,” Redbord said in the report. "North Korea is moving faster and more precisely than ever.”
“North Korea's cumulative crypto theft now exceeds $6 billion attributed incidents since 2017,” TRM Labs’ report adds.
TRMLabs' findings coincide with a Wasabi Protocol exploit using a similar playbook to Drift’s April 19 hack, where the assailants used a compromised deployer key with no timelock or multisig to drain $4.5 million.
The $292 million KelpDAO breach exploited a known single-verifier flaw that LayerZero had repeatedly warned against.
The playbook was vastly different from the Drift exploit, according to TRMLabs. Hackers converted the Drift proceeds to USDC, bridged to Ethereum, swapped into ETH, and have not moved them since the day of the theft, which is consistent with the DPRK’s patient, multi-year cashout pattern.
In contrast, Lazarus took their KelpDAO proceeds and immediately laundered them through THORChain and Umbra, which is handled almost entirely by Chinese intermediaries operating the well-documented TraderTraitor playbook, the report explains.
The Kelp DAO exploit triggered DeFi’s largest wipeouts as $13 billion exited several lending platforms, most notably, Aave’s, which lost $8.54 billion in deposits over 48 hours, leaving it with a nearly $200 bad-debt crisis, which industry participants are now .
Q&A
How much money did North Korean hackers steal from Drift Protocol?
North Korean hackers stole $285 million from Drift Protocol.
What percentage of crypto losses this year is attributed to North Korean hackers?
North Korean hackers account for more than 76% of crypto losses this year, totaling nearly $600 million.
What tactics did North Korean hackers use in the Drift Protocol exploit?
The hackers used unprecedented in-person social engineering tactics, involving months of meetings with Drift employees.
