North Korean crypto fraud

quote:

---

They stole 285million in less than 20 minutes…

---

quote:

---

For the second year in a row, North Korea’s vast cryptocurrency hacking operation has broken its own record, stealing $2.02 billion in 2025, new research says.

A report published Thursday by the blockchain watchdog company Chainalysis found that North Korea broke its own record of $1.3 billion in hacked and stolen crypto like bitcoin and ethereum. That brings the country’s total stolen crypto to around $6.75 billion, the report said. The total amount of stolen crypto around the globe rose to $3.4 billion.

A significant chunk of that comes from the hack of the Dubai-based cryptocurrency exchange Bybit this year. The hackers — who worked for North Korea’s elite government hacking squad, according to the U.S. Secret Service — stole around $1.5 billion, mostly in ethereum, in February, Bybit’s CEO said.

Chainalysis is one of a growing number of companies that map out the sprawling network of cryptocurrency transactions, including tracing hacked funds as they’re laundered by criminals.

---

quote:

---

Part of the theft is most likely due to the increasingly common phenomenon of North Korean hackers’ fraudulently obtaining remote technical jobs with international companies, the report said. That access can put them in positions to give their hacker colleagues a foothold to steal cryptocurrency keys and wire crypto to Pyongyang.


But no country has an alleged operation like North Korea’s, whose hackers working directly for the government routinely steal such large sums from companies around the world.

---

quote:

---

Step 1: Create a Fake Token (March 11–23)
Three weeks before the heist, the attackers withdrew 10 ETH from Tornado Cash—a crypto mixing service—at around 9:00 AM Pyongyang time. They used it to deploy a fictitious token called CarbonVote (CVT). They minted 750 million units, seeded a few thousand dollars in liquidity on Raydium, and ran wash trades to build a fake price history near $1.[1]

Drift’s oracles accepted CVT as valid collateral. No minimum liquidity threshold. No time-weighted price validation. The fake token looked real enough for the protocol to treat it as worth hundreds of millions.

Step 2: Trick the Multisig Signers (March 23–30)
Drift’s Security Council—a five-member multisig—controlled the protocol’s admin functions. The attackers social-engineered at least two signers into pre-signing transactions that looked routine but contained hidden authorizations for critical admin actions.[1][3]

The key trick: durable nonces. Normal Solana transactions expire after a few minutes if not executed. But durable nonce accounts replace the expiring blockhash with a fixed code that keeps the transaction valid indefinitely. The attackers got signatures on transactions that sat dormant for over a week.[3]

Step 3: Remove the Last Safety Net (March 27)
Drift migrated its Security Council to a zero-timelock configuration. This meant approved transactions could execute instantly—no delay, no review period. TRM Labs called this “the protocol’s last line of defense.”[1]

It was gone before the attackers even pulled the trigger.

---

quote:

---

Outsourced Laundering ("The Chinese Laundromat")

OTC Brokers: North Korea rarely interacts directly with regulated, mainstream exchanges. Instead, they transfer stolen funds to a network of specialized, "rogue" over-the-counter (OTC) brokers.
Underground Banking: These brokers, often based in Southeast Asia and specializing in Chinese Yuan (CNY) settlement, purchase the stolen crypto at a discount and handle the off-chain settlement.
Mirror Payments: Intermediaries use complex methods like mirror payments (trade-based laundering) to settle transactions in fiat without leaving a blockchain trail.

---