The incident involving the decentralized exchange Drift has exposed new methods used by cybercriminals. Industry researchers studied the attack mechanics and concluded that North Korean groups are systematically embedding themselves into crypto projects as legitimate employees.
Who Orchestrated the Attack and How
The attack is highly likely linked to the AppleJeus group, an affiliate of North Korea—the same group behind the Radiant Capital breach in 2024.
At Drift, attackers spent six months building rapport with the team by posing as a trading fund. They met face-to-face at conferences, deposited $1.000 M, and eventually compromised contributor devices through a malicious repository and a fake iOS app.
They Are Already Embedded in Other Teams
Researcher Tay, who was directly involved in the investigation, said she initially expected standard social engineering. The sheer depth of the operation and the number of characters involved changed her perspective.
"This leads me to believe the group is already holding several other teams on the hook in a similar way," she wrote.
Tay also noted that North Korean IT workers have been building protocols known and used by the community since the DeFi Summer era.
"Seven years of blockchain experience on a resume isn't a lie," she emphasized.
One user shared their own story: their former employer nearly hired a Lazarus agent. The candidate passed all online interviews but bailed when invited to an in-person meeting. His name later appeared in a data leak tied to Lazarus structures.
"Now Lazarus is using non-North Korean individuals for in-person work," he concluded.
ZachXBT, a well-known on-chain sleuth, stressed that Lazarus isn't a single entity but a collective term for all North Korean state-sponsored cyber groups.
"Threats of varying complexity come from fundamentally different structures," he noted.
He classifies schemes involving fake job postings on LinkedIn, Zoom, or email as entry-level, where the main weapon is sheer volume.
Truly advanced attacks, he says, are consistently the work of only two actors: TraderTraitor (Bybit, DMM, Ronin, Harmony) and AppleJeus (Radiant, Drift). These groups focus on supply chain attacks, wallets, and protocol-level exploits.
How Intermediaries Are Recruited
Another contributor described the process of hiring live agents—people not from North Korea who act as the public face. According to him, these structures have internal metrics for vetting intermediaries and various recruitment pipelines, from freelance ads to building trust over months before pitching a joint venture.
"The most valuable profiles are young IT professionals with US citizenship," he highlighted.
Read also: