North Korea no longer cracks vaults - it befriends the guards. Ari Redbord of TRM Labs explained on Bankless that North Korean operatives now recruit Western proxies to attend conferences, join developer communities, and even make million-dollar investments in target projects.
These proxies operate as sleeper cells, gaining trust over months to access validator keys or administrative privileges. The recent $285 million hack of the Solana-based Drift Protocol occurred during a planned security migration, executed in 12 minutes. Redbord warns these actors are likely embedded in dozens of other teams.
For North Korea, crypto theft is the economy. With virtually no exports, the state has professionalized hacking, selecting agents from childhood for STEM prowess. Over the last five years, these groups have stolen roughly $6 billion to fund weapons and regime survival. They prioritize speed over stealth, converting stolen Ethereum to Bitcoin within 72 hours via bridges like Thorchain before laundering through Chinese OTC brokers.
"It’s not about coding. It’s about espionage disguised as community participation."
- Ari Redbord, Bankless
Traditional law enforcement fails against attackers in Pyongyang. Redbord argues the focus must shift from arrests to asset forfeiture. He advocates for 'cyber letters of marque' - commissions authorizing private hackers to hunt and seize stolen funds for a bounty. This incentivizes private sector speed against government bureaucracy.
International coordination through groups like the Beacon Network, which includes Coinbase and Binance and works with 70 law enforcement agencies, aims to block stolen funds in real-time. The precedent exists: the $15 billion seizure from the Shenzhi pig-butchering ring used a whole-of-government approach combining DOJ indictment, OFAC sanctions, and FinCEN actions.
The goal is to build a perimeter where off-ramping stolen crypto becomes impossible.
