North Korean Operatives Shift to In-Person Tactics in $285 Million Drift Protocol Heist

North Korean government-backed hacking groups have transitioned from remote operations to sophisticated in-person social engineering, as evidenced by a $285 million exploit of the Drift Protocol. According to a report from TRMLabs, the attack involved months of face-to-face meetings between North Korean proxies and protocol employees, marking an unprecedented shift in the regime's cyber-campaign tactics. The report highlights that the DPRK and Lazarus groups are now responsible for approximately 76% of all cryptocurrency losses in 2026, totaling nearly $600 million. Analysts suggest the campaign has become 'sharper' and more precise, with cumulative thefts attributed to North Korea exceeding $6 billion since 2017. Beyond Drift, other protocols have fallen victim to similar or complementary tactics. Wasabi Protocol suffered a $4.5 million loss via a compromised deployer key, while KelpDAO was hit for $292 million due to a single-verifier flaw. While the Drift proceeds were moved cautiously into ETH, the KelpDAO funds were laundered rapidly through Chinese intermediaries using the 'TraderTraitor' playbook. The systemic fallout from these breaches has been severe. The KelpDAO exploit triggered a broader contagion across the decentralized finance (DeFi) sector, leading to $13 billion in exits from various lending platforms. Aave was particularly hard hit, losing $8.54 billion in deposits over a 48-hour period. This liquidity crunch left Aave with a $200 million bad-debt crisis, which industry participants are currently attempting to resolve through $300 million in pledges.