North Korean State Actors Pivot to In-Person Social Engineering in Massive DeFi Heists

The decentralized finance (DeFi) ecosystem is facing a sophisticated new threat as North Korean state-sponsored hackers move beyond remote cyberattacks to in-person infiltration. A recent $285 million exploit on the Solana-based decentralized exchange (DEX) Drift highlights a strategic shift toward high-touch social engineering to bypass traditional security perimeters. According to Drift and blockchain forensics firm TRM Labs, attackers posed as a quantitative trading firm, engaging protocol contributors at multiple international industry conferences over a six-month period. This tactic allowed the operatives to build trust and manufacture credibility before executing the heist, marking a departure from previous methods that relied solely on virtual calls and remote work. The exploit involved the deployment of the CarbonVote Token (CVT), which was used to simulate demand and deceive oracles into accepting it as legitimate collateral. By manipulating multisig signers through social engineering, the attackers increased withdrawal limits and drained real assets, including USDC. This follows a larger $1.4 billion hack on the Bybit exchange, also attributed to the same state-backed actors. Beyond one-off exploits, a broader network of North Korean IT workers is reportedly embedding themselves within tech and crypto firms using falsified identities. These operatives generate an estimated $1 million monthly, with funds routed through Chinese bank accounts. The UN Security Council has repeatedly warned that these illicit revenues are used to finance the DPRK's ballistic missile and weapons programs, including recent tests of electromagnetic weapons and the Hwasong-11 missile.