DeFi Development's Maximum Card
By Chloe, Challenger
Last week, the Solana Loan Agreement Drift was hacked and about $285 million of user assets were stolen. According to official accounts, this was not a typical smart contract breach attack, but a six-month-long, well-planned social engineering attack by State hackers。
There is even investigative evidence that the same number of threatening actors may already be at the core of the development of multiple DeFi agreements, not as attackers, but as contributors。
Early hacking targets are common in North Korea, but very little cash is invested
According to the Drift incident statement, the core strategy of the attackers was “to become part of the ecosystem”。
Since the fall of 2025, they have been disguised as a quantitative trading company and have begun to contact Drift ' s core contributors at major encryption industry meetings. This type of contact is not limited to one, but a number of meetings across different countries, which continue to operate intentionally for six months. These people have technical expertise, background, and know how Drift works。
And they are not limited to communicating with Drift core members. The team also made use of the Open Mechanism of the Drift Eco-Stem Vault to successfully build up its own treasury as a legitimate trading company, depositing over $1 million of its own funds and participating in a number of working sessions to raise in-depth product issues, thereby consolidating trust with the project partners。
In an interview with ChainCatcher, Steven, a technical expert in block chains, said: “It is common practice for Korean hackers to infiltrate targets from an early stage, but it is rare that a large amount of cash is invested as a basis for trust. For the attackers, however, the $1 million is in fact a risk-free investment, which, as long as the attack is not launched, is simply a regular fund in the vault that can be retrieved at any time; and it is actually recruited uninformed third party personnel who have little financial loss to the organization itself.”
In addition, in its long-standing collaboration with Drift, the team shared the code items stored on GitHub, as well as applications, on the basis of demonstrating its own development tools. Given the circumstances at the time, it would have been normal to view each other ' s code books among partners. However, a follow-up investigation by Drift found that the GitHub code project, which was copied by one contributor, contained malicious codes, while another was induced to download TestFlight applications disguised as wallet products。
The code project path is difficult to guard against because it is fully embedded in the developers ' daily workflow. The developers almost always use code editors like VSCode or Cursor to think of it as the engineer's Word, which is open every day。
The security research community found a serious loophole in this type of editor at the end of 2025: When the developers use it to open a code item that others share, the hidden malicious instructions in the project are automatically executed backstage, the process is completely hidden and no confirmation window will pop up on the screen, no permission to click and no warning. The developers thought they were just looking at the code, but the computer was actually implanted in the back door. It is by exploiting this loophole that the attackers hid their malicious software into the daily operations that developers do every day。
Until April 1, when the Drift attack took place, the team's Telegram chat records and all traces of malicious software were completely cleared, leaving a $285 million gap。
Drift, maybe just the tip of the iceberg
According to SEAL 911, the encryption industry emergency security response organization, the attack was carried out in October 2024 by the same group of threats as the Radiant Capital hackers. Linkage is based on a chain flow of funds (funds for the preparation and testing of this operation can be traced back to the Radiant attackers) and a pattern of operations (persons deployed in this operation have identified overlaps with known DPRK-related activities). While Mandiant (now under Google), a well-known security forensics company hired by Drift, had previously attributed the Radiant incident to the Korean state-associated organization UNC 4736, Mandiant has not yet formally attributed the Drift incident, and complete equipment evidence is still in progress。
In particular, the individual who appeared at the meeting was not a Korean national. Steven stated that “North Korean hackers should not be seen as ordinary hackers, but rather as an intelligence agency, a large organization with thousands of people and a clear division of labour, in which Korean hacker Lazarus has the official name APT38 in the field of international security, and Kimsukiy, another affiliated organization of Korea, has the name APT43”
This explains why they can deploy real people online. They open companies abroad in various names and recruit local personnel who do not even know who they are working for. “He may have thought that he had joined a normal teleworking company and that he had been assigned a year later to meet a client, everything seemed normal, but behind him was a hacker organization. By the time the judiciary comes, the man knows nothing."
Today, Drift may just be the tip of the iceberg。
If the Drift incident reveals a breach of a single agreement, the next investigation points to a bigger problem: the same method, which may have been operating throughout the DeFi ecology for many years。
According to a survey by a block chain researcher, Tayvano, since the rapid expansion of DeFi in 2020, code contributions associated with North Korean IT workers have spread to a number of well-known projects, including SushiSwap, Thorchain, Harmony, Ankr and Yirn Finance。
The same methods are used in the Drift event: the use of false identities, the acquisition of development roles through free-flowing platforms and direct contacts, access to Discord channels, the development community and even participation in the development community. Once inside the project, they contribute codes, participate in the development cycle, and build trust with the team until the entire framework of the agreement is mapped out and moved。
Steven believes that in traditional intelligence agencies, they can even wait for a lifetime, and even the next generation, to continue the unfinished tasks of the previous generation. The short time-frame and high-yielding nature of the Web3 project for them, and the fact that the nature of teleworking allows a person to have multiple jobs in multiple projects at the same time, is actually common in the Web3 industry and does not give rise to any suspicion。
“North Korean hackers will include all Web3 projects in the scope of the attack, carefully screening each project and gathering information on team members. They know more about the project than the project party itself.” Steven said. Web3 is the primary target because of the high level of ecological funding, the lack of global integrated regulation, the widespread lack of validation of the true identities of partners and employees due to teleworking, combined with the widespread youth of practitioners and insufficient social experience, which provide an ideal penetration environment for North Korean intelligence agencies。
The hackers are frequent, and the projecters are waiting to die
Looking back at the major events of recent years, social engineering has always been the core tool of the Korean hacker group. It coincided with the launch of the recent Japanese coin-Ann Foundation's CZ memoir "Bian's Life" which recalled the theft of 700 bitcoins in May 2019. According to the CZ, hackers first invaded the laptops of several employees through advanced viruses, then implanted a malicious instruction in the last step of the coin transfer process, stealing all 700 bitcoins from the hot wallet at 1 a.m. (with a value of about US$ 40 million at the time). CZ wrote that, in terms of the method of assault, hackers had been lurking in the net for some time, with high suspicion that it was North Korea Lazarus, and possibly even bribed internal employees。
The 2022 Ronin Network was also a classic case. Ronin is the back of the hot-door chain of Axie Infinity, which handles the cross-chain transfer of all the assets in the game, at a time when the lock-in was large. The attack was due to an invitation received by an developer for a highly paid post that appeared to come from a well-known company, and a document containing malicious procedures was downloaded during the interview process, whereby the assailant obtained internal system authority and eventually stole $625 million。
In 2023, the CoinsPaid incident was almost identical. CoinsPaid, a service that handles the payment of encrypted money, also approached its employees through a forged recruitment process to induce them to install malicious software and enter the system. More recent hacking methods are more diverse: fake video calls, invasive social accounts, and malicious programs disguised as meeting software。
Victims received seemingly normal Calendly conference links, clicked in and led to the installation of fake conference applications through which malicious software stole wallets, passwords, assistive words and correspondence records. It is estimated that, by such means alone, the Korean hacker group has stolen more than $300 million。
At the same time, the final whereabouts of stolen funds are of concern. Steven states that stolen funds eventually flow under the control of the Korean Government. Money-laundering is carried out by specialized teams within the organization, who open their own currency mixers and open accounts under false identities on numerous exchanges, with a complete and complex set of processes: The funds are laundered and converted into private currency at the first time they are stolen, followed by cross-chain transfers through different DeFi projects, which flow repeatedly between the exchange and DeFi。
“THE WHOLE PROCESS WAS COMPLETED WITHIN ABOUT 30 DAYS, AND THE FUNDS WERE EVENTUALLY RELEASED INTO THE HANDS OF SOUTH-EAST ASIAN CASINOS, SMALL EXCHANGES THAT DID NOT NEED KYC, AND OFF-SITE TRADING (OTC) SERVICE PROVIDERS IN HONG KONG, CHINA AND SOUTH-EAST ASIA.”
How, then, should the encryption industry respond to this new threat model, which is not just an attacker but a participant
Steven believes that project managers of large-scale funds should hire a professional security team with dedicated security positions within the team and that all core members must strictly observe security discipline. It is particularly important that equipment for the development of equipment and equipment for financial signatures be strictly physically isolated. In particular, he noted that a key issue in the case of Drift was the buffer mechanism, which had removed the time lock, “this cannot be lifted at any time”
However, he also stated that it would be difficult to identify the DPRK ' s intelligence services fully if they were to do so in depth. But the introduction of security teams remains crucial. He suggested that the project party introduce a blue team (i.e., a defensive team in a cyber-attack) that would not only help to improve the security of equipment and behaviour, but would also continuously monitor key nodes and, in the event of unusual fluctuations, would detect and respond to attacks in the first place. “The project's own security capacity alone is not sufficient to withstand such a level of attack.”
He added that North Korea ' s cyber-war capability was currently among the top five in the world, after the United States, Russia, China and Israel. Faced with rivals at this level, code auditing alone is far from sufficient。
Concluding remarks
The Drift incident proves that today DeFi is facing not only the most serious threats, but also mobility, and that it is not only safe to guard against code loopholes, because spies may be hiding around。
When the attackers are willing to spend six months and millions of dollars on a relationship, the traditional code audit and security lines are simply inadequate. According to existing surveys, this technique is likely to have been in operation for many years in multiple projects, although it has not yet been discovered。
DeFi ' s ability to remain decentralised and open is no longer central, but the real question is whether it can remain open while resisting the infiltration of tieredly packaged rivals。
