The biggest obstacle to the development of DeFi

Author: Chloe, ChainCatcher

Last week, the Solana lending protocol Drift was hacked, resulting in the theft of approximately $285 million in user assets. According to the official statement, this was not a typical smart contract vulnerability attack, but rather a social engineering attack meticulously planned by state-sponsored hackers over a period of six months.

There is even investigative evidence suggesting that the same group of threat actors may have already infiltrated the core development of multiple DeFi protocols, not as attackers, but as contributors.

It is common for North Korean hackers to infiltrate targets early on, but they rarely invest large amounts of cash.

According to the Drift incident statement, the attackers' core strategy was to "become part of the ecosystem."

Since the fall of 2025, they posed as a quantitative trading firm and began contacting Drift's core contributors at various crypto industry conferences.

This wasn't a one-off contact, but rather a deliberate effort spanning multiple countries and conferences over six months. These individuals possessed technical expertise, verifiable backgrounds, and a thorough understanding of Drift's operational methods. Furthermore, their interactions extended beyond core Drift members. The team also leveraged the open mechanism of the Drift Ecosystem Vault, successfully listing their own vault as a legitimate trading company, depositing over $1 million of their own funds, participating in numerous working meetings, raising in-depth product questions, and thereby solidifying trust with the project team. In an interview with ChainCatcher, blockchain technology expert Steven stated, "It's common for North Korean hackers to infiltrate their targets early on, but investing a large amount of cash as a foundation of trust is relatively rare. However, for the attackers, this $1 million is essentially a risk-free investment. As long as no attack is launched, the money is simply normal funds stored in a vault and can be withdrawn at any time; moreover, the actual operation is carried out by recruited, unsuspecting third-party personnel, resulting in almost no financial loss to the organization itself." Furthermore, during a long-term collaboration with Drift, the team shared code projects and applications hosted on GitHub under the guise of showcasing their development tools. At the time, it was perfectly normal for collaborators to view each other's code. However, Drift's subsequent investigation revealed that one contributor's copied GitHub code project contained malicious code, and another contributor was tricked into downloading a TestFlight application disguised as a wallet product. The reason this code project path is so difficult to defend against is that it's completely embedded in the developer's daily workflow. Developers almost always use code editors like VSCode or Cursor when writing code; think of them as an engineer's Word, something they use daily. However, the security research community discovered a serious vulnerability in these editors in late 2025: when a developer opens a shared code project, malicious commands hidden within the project automatically execute in the background. The entire process is completely stealthy; no confirmation windows pop up on the screen, no agreement is required, and there are no warnings. The developer thinks they're just "looking at code," but their computer has actually been implanted with a backdoor. Attackers exploited this vulnerability to hide malware in the developer's daily routine. By the time of the Drift attack on April 1st, the attacker team's Telegram chat logs and all traces of malware had been completely erased, leaving only a $285 million shortfall. Could Drift be just the tip of the iceberg? According to an investigation by SEAL 911, an emergency security response organization in the crypto industry, this attack was perpetrated by the same group of threat actors as the Radiant Capital hack in October 2024. The connection is based on on-chain fund flows (funds used to prepare and test this operation can be traced back to the Radiant attackers) and operational patterns (the personas deployed in this operation have identifiable overlap with known North Korean-related activities). Mandiant (now part of Google), the well-known security forensics firm hired by Drift, had previously attributed the Radiant incident to the North Korean state-affiliated organization UNC4736, but Mandiant has not yet officially attributed the Drift incident to them; full device forensics is still underway. Notably, the individuals who personally attended the meeting were not North Korean nationals. Steven stated, "North Korean hackers shouldn't be viewed as ordinary hacker groups, but rather as an intelligence agency—a massive organization with thousands of members and a clear division of labor. The official codename for the North Korean hacker group Lazarus in the international security field is APT38, while another affiliated group, Kimsuky, is codenamed APT43." This explains why they can deploy real people offline. They open companies overseas under various names, recruiting local personnel who are completely unaware of who they are working for. "He might think he's joined a normal remote work company, and after a year, he's sent to meet a client. Everything seems normal, but behind it all is a hacker organization. When the law enforcement comes to investigate, that person knows nothing." Today, Drift may only be the tip of the iceberg. If the Drift incident exposed a breach in a single protocol, subsequent investigations pointed to a much larger problem: the same methods may have been operating throughout the entire DeFi ecosystem for years. According to a survey by blockchain researcher Tayvano, since the rapid expansion of DeFi in 2020, code contributions associated with North Korean IT workers have been found in many well-known projects, including SushiSwap, THORChain, Harmony, Ankr, and Yearn Finance. These individuals employed methods strikingly similar to those used in the Drift incident: using forged identities, they obtained development roles through freelance platforms and direct contact, gaining access to Discord channels, developer communities, and even developer conferences. Once inside the project, they contributed code, participated in the development cycle, built trust with the team, and ultimately understood the entire protocol architecture before striking. Steven believes that in traditional intelligence agencies, they can remain infiltrated for a lifetime, with the next generation even continuing the unfinished tasks of the previous one. Web3 projects are short-term and highly profitable for them, and the remote nature of work allows one person to hold multiple roles in multiple projects simultaneously, which is common in the Web3 industry and doesn't arouse suspicion. "North Korean hacker groups include all Web3 projects in their attack scope, carefully screening each project and collecting information on team members. They know more about the projects than the project owners themselves," Steven said. The reason Web3 has become a primary target is because this ecosystem involves large sums of money, lacks unified global regulation, and the prevalence of remote work often makes it impossible to verify the true identities of partners and employees. In addition, the practitioners are generally young and lack social experience. These characteristics provide an ideal infiltration environment for North Korean intelligence agencies. With hacking incidents becoming increasingly common, are project owners left with no choice but to wait and see? Looking back at major events in recent years, social engineering has consistently been a core tactic of North Korean hacker groups. Recently, Binance founder CZ's memoir, *Binance Life*, was released, recounting the theft of 7,000 Bitcoins from Binance in May 2019. According to CZ, the hackers first compromised several employees' laptops with a sophisticated virus, then implanted malicious commands in the final step of the withdrawal process, stealing all 7,000 Bitcoins (worth approximately $40 million at the time) from the hot wallet at 1 AM. CZ writes in the book that, based on the attack methods, the hackers had been lurking in the Binance network for some time, and he strongly suspects it was the work of North Korea's Lazarus, possibly even bribing internal employees. The 2022 Ronin Network incident is another classic case. Ronin is the sidechain behind the popular blockchain game Axie Infinity, responsible for handling cross-chain transfers of all assets within the game, with a massive amount of locked funds at the time. The attack originated when a developer received a seemingly high-paying job offer from a well-known company. During the interview, the developer downloaded a file containing malware, which the attackers used to gain internal system privileges and ultimately steal $625 million. The 2023 CoinsPaid attack was almost identical. CoinsPaid is a cryptocurrency payment service provider; attackers again approached employees through a fake recruitment process, tricking them into installing malware and compromising their systems. More recent hacking methods are more diverse: fake video calls, compromised social media accounts, and malware disguised as conferencing software. Victims received seemingly legitimate Calendly meeting links, which, when clicked, led them to install a fake conferencing application. The malware then stole wallets, passwords, mnemonic phrases, and communication records. It is estimated that North Korean hacking groups have stolen over $300 million using such methods alone. The final destination of the stolen funds is also a matter of concern. Steven stated that the stolen funds ultimately flow into the control of the North Korean government. Money laundering is carried out by a dedicated team within the organization. They operate their own mixers and open accounts on numerous exchanges using false identities, employing a complete and complex process: funds are immediately laundered through mixers upon being stolen, then converted into privacy coins, and subsequently transferred across chains through various DeFi projects, repeatedly circulating between exchanges and DeFi platforms. "The entire process is completed in approximately 30 days, ultimately ending up in casinos in Southeast Asia, small exchanges that don't require KYC, and over-the-counter (OTC) service providers in Hong Kong and Southeast Asia, where they are cashed out." So, facing this new threat model, where the adversary is not only an attacker but also a participant, how should the crypto industry respond? Steven believes that projects managing large sums of money should hire professional security teams, establish dedicated security positions within these teams, and ensure that all core members strictly adhere to security regulations. Crucially, development equipment and equipment responsible for financial signatures must be strictly physically isolated. He specifically mentioned that a key issue in the Drift incident was the removal of the time-lock buffer mechanism, "which should never be removed." However, he also admitted that if North Korean intelligence agencies were truly intent on deep infiltration, even rigorous background checks would be insufficient to completely identify them. Introducing a security team remains vital. He recommended that the project team bring in a blue team (i.e., a defensive team in cyber warfare), as blue teams not only help improve the security of equipment and actions but also continuously monitor key nodes, allowing for immediate detection and response to any abnormal fluctuations. "Relying solely on the project team's own security capabilities is insufficient to withstand this level of attack." He added that North Korea's cyber warfare capabilities currently rank among the top five globally, after the United States, Russia, China, and Israel. Against an adversary of this caliber, code auditing alone is far from enough. Conclusion The Drift incident proves that the biggest threats facing DeFi today are not just market conditions and liquidity, but also security issues beyond simply preventing code vulnerabilities, because spies may be lurking nearby. When attackers are willing to spend six months and millions of dollars cultivating a relationship, traditional code audits and security defenses are simply insufficient. According to existing investigations, this method may have been operating in multiple projects for years without being discovered. Whether DeFi can maintain decentralization and openness is no longer the core issue; the real issue is: can it maintain openness while resisting the infiltration of sophisticated adversaries?