The biggest bottleneck in DeFi development

Author: Chloe, ChainCatcher

Last week, the Solana lending protocol Drift was hacked, resulting in approximately $285 million in user assets being stolen. According to official statements, this was not a typical smart contract vulnerability attack, but rather a six-month-long, meticulously planned social engineering attack by state-sponsored hackers.

There is even investigative evidence suggesting that the same group of threat actors may have already infiltrated the core development of multiple DeFi protocols, not as attackers, but as contributors.

North Korean hackers commonly infiltrate early targets but rarely invest large sums of money

According to the statement regarding the Drift incident, the core strategy of the attackers was to "become part of the ecosystem."

Since the fall of 2025, they disguised themselves as a quantitative trading company and began to engage with Drift's core contributors at major crypto industry conferences. This engagement was not a one-time occurrence, but rather multiple interactions across different countries and conferences, deliberately conducted over six months. These individuals were technically proficient, had verifiable backgrounds, and were well-acquainted with how Drift operated.

Moreover, their interactions were not limited to Drift's core members. The team also exploited the open mechanism of Drift's Ecosystem Vault, successfully listing their own vault as a legitimate trading company, depositing over $1 million of their own funds, participating in multiple working meetings, and posing in-depth product questions, thereby solidifying trust with the project team.

Blockchain technology expert Steven, in an interview with ChainCatcher, stated: "North Korean hackers have been infiltrating targets from early on, which is common practice, but investing large sums of money as a basis for trust is relatively rare. However, for the attackers, this $1 million is essentially a risk-free investment; as long as they do not launch an attack, this money is merely normal funds existing in the vault, which can be withdrawn at any time; and the actual operations are conducted by unwitting third-party personnel, resulting in almost no economic loss to the organization itself."

Additionally, during their long-term collaboration with Drift, the team shared code projects and applications stored on GitHub under the pretext of showcasing their own development tools. Given the circumstances at the time, it was entirely normal for partners to review each other's code. However, subsequent investigations by Drift revealed that one contributor had copied a GitHub code project containing malicious code, while another contributor was induced to download a TestFlight application disguised as a wallet product.

The reason the code project pathway is difficult to guard against is that it is fully embedded in the developers' daily workflow. Developers typically use code editors like VSCode or Cursor when writing code, which can be thought of as the Word for engineers, something they open and use daily.

The security research community discovered a serious vulnerability in such editors by the end of 2025: when developers opened code projects shared by others, hidden malicious commands within the projects would automatically execute in the background, completely covertly, without any confirmation windows popping up on the screen, requiring no clicks to agree, and providing no warnings. Developers believed they were merely "looking at code," but their computers had actually been implanted with backdoors. The attackers exploited this vulnerability to hide malware within the daily operations that developers routinely performed.

By the time the Drift attack occurred on April 1, the attackers' Telegram chat records and all traces of malware had been completely erased, leaving only a $285 million gap.

Is Drift just the tip of the iceberg?

According to an investigation by the emergency security response organization SEAL 911 in the crypto industry, this attack was carried out by the same group of threat actors responsible for the October 2024 Radiant Capital hack. The connections include on-chain fund flows (the funds used to prepare and test this operation trace back to the Radiant attackers) and operational patterns (the personas deployed in this operation show identifiable overlaps with known North Korean activities). Mandiant, a well-known security forensics company hired by Drift (now part of Google), had previously attributed the Radiant incident to the North Korean state-affiliated organization UNC4736, but Mandiant has not yet formally attributed the Drift incident, and complete device forensics are still ongoing.

Notably, the individuals who personally attended the meetings were not North Korean nationals. Steven stated: "North Korean hackers should not be viewed as a typical hacking organization, but rather as an intelligence agency; it is a large organization with thousands of people and clearly defined roles. Among them, the North Korean hacker Lazarus is formally known in the international security field as APT38, while another affiliated organization, Kimsuky, is designated as APT43."

This explains why they are able to deploy real people offline. They establish companies overseas under various names, recruiting local personnel, who may not even be aware of who they are working for. "He might think he joined a normal remote work company, and after a year is sent to meet a client; everything seems normal, but behind it is a hacking organization. When law enforcement comes to investigate, that person knows nothing."

Now, Drift may just be the tip of the iceberg.

If the Drift incident reveals a vulnerability in a single protocol, subsequent investigations point to a larger issue: the same methods may have been operating across the entire DeFi ecosystem for years.

According to blockchain researcher Tayvano's investigation, since the rapid expansion of DeFi in 2020, code contributions associated with North Korean IT workers have spread across several well-known projects, including SushiSwap, THORChain, Harmony, Ankr, and Yearn Finance.

The methods used by these individuals are strikingly similar to those in the Drift incident: using forged identities, obtaining development roles through freelance platforms and direct contacts, entering Discord channels, developer communities, and even attending developer meetings. Once inside the project, they contribute code, participate in development cycles, and build trust with the team until they understand the entire protocol architecture and wait for the right moment to act.

Steven believes that in traditional intelligence agencies, they can even lie in wait for a lifetime, with the next generation continuing the unfinished tasks of the previous generation. For them, Web3 projects are short-term with high returns, and the nature of remote work allows one person to hold multiple roles across various projects, which is quite common in the Web3 industry and does not raise suspicion.

"The North Korean hacker organization includes all Web3 projects in their attack scope, carefully screening each project and gathering information on team members. Their understanding of the projects is clearer than that of the project teams themselves," Steven said. The reason Web3 has become a primary target is that this ecosystem has a large amount of funds, lacks unified global regulation, and the prevalence of remote work often makes it impossible to verify the true identities of collaborators and employees. Additionally, the generally young and inexperienced nature of practitioners provides an ideal infiltration environment for North Korean intelligence agencies.

Hacking incidents are common; project teams can only sit and wait?

Looking back at major incidents in recent years, social engineering has always been a core tactic of North Korean hacker groups. Recently, Binance founder CZ's memoir "Binance Life" was released, recounting the incident in May 2019 when Binance was hacked for 7,000 bitcoins. According to CZ, the hackers first infiltrated the laptops of several employees using advanced malware, then implanted malicious commands during the final step of the withdrawal process, stealing all 7,000 bitcoins from the hot wallet at 1 AM (worth approximately $40 million at the time). CZ wrote in the book that, based on the attack methods, the hackers had been lurking in the Binance network for some time and were highly suspected to be from North Korea's Lazarus, possibly even bribing internal employees.

The 2022 Ronin Network incident is also a classic case. Ronin is the sidechain behind the popular blockchain game Axie Infinity, responsible for handling all cross-chain transfers of in-game assets, with a large amount of locked funds at the time. The attack was triggered when a developer received a seemingly high-paying job offer from a well-known company and downloaded a file containing malware during the interview process, allowing the attackers to gain internal system access and ultimately steal $625 million.

The 2023 CoinsPaid incident employed almost identical tactics. CoinsPaid is a service provider for cryptocurrency payments, and the attackers similarly approached employees through a forged recruitment process, inducing them to install malware before infiltrating the system. More recent hacking methods have become even more diverse: forged video calls, compromised social accounts, and malware disguised as meeting software.

Victims received seemingly normal Calendly meeting links, and upon clicking, were guided to install a fake meeting application, allowing the malware to steal wallets, passwords, recovery phrases, and communication records. It is estimated that through such methods, North Korean hacker groups have stolen over $300 million.

At the same time, the ultimate destination of the stolen funds is also worth noting. Steven stated that the stolen funds ultimately fall under the control of the North Korean government. Money laundering is carried out by a specialized team within the organization, which sets up mixers and opens accounts with fake identities at numerous exchanges, following a complete and complex process: the funds are cleaned through mixers immediately after being stolen, then exchanged for privacy coins, and subsequently transferred across different DeFi projects, circulating repeatedly between exchanges and DeFi.

"The entire process is completed within about 30 days, and the final funds end up in casinos in Southeast Asia, small exchanges that do not require KYC, and OTC service providers in Hong Kong and Southeast Asia, where they are cashed out."

So, in the face of this new threat model, where the adversaries are not only attackers but also participants, how should the crypto industry respond?

Steven believes that project teams managing large amounts of funds should hire professional security teams, establish dedicated security positions within the team, and ensure that all core members strictly adhere to security protocols. It is especially important that development devices and devices responsible for financial signatures are strictly physically isolated. He specifically mentioned that a key issue in the Drift incident was the cancellation of the time-lock buffer mechanism, "which should never be canceled at any time."

However, he also admitted that if North Korean intelligence agencies truly want to infiltrate deeply, even rigorous background checks would be difficult to fully identify. But bringing in security teams is still crucial. He suggested that project teams introduce blue teams (the defensive side in cyber offense and defense), as blue teams can not only assist in enhancing the security of devices and behaviors but also continuously monitor key nodes, allowing for immediate detection and response to attacks in case of abnormal fluctuations. "Relying solely on the project team's own security capabilities is insufficient to withstand this level of attack."

He added that North Korea's cyber warfare capabilities rank among the top five in the world, second only to the United States, Russia, China, and Israel. In the face of such adversaries, relying solely on code audits is far from enough.

Conclusion

The Drift incident proves that the greatest threats facing DeFi today are not just market conditions or liquidity; in terms of security, it is not only about preventing code vulnerabilities, as spies may be hiding right next to you.

When attackers are willing to spend six months and invest millions of dollars to cultivate a relationship, traditional code audits and security defenses are simply inadequate. Moreover, according to existing investigations, this set of tactics may have been operating in multiple projects for years, just not yet discovered.

Whether DeFi can maintain decentralization and openness is no longer the core issue; the real question is: can it resist the infiltration of those well-packaged adversaries while remaining open?