north

According to Cryptopolitan, cybersecurity analysts have discovered a new type of fileless remote access trojan (RAT) named RemotePE. It is believed that the cybercrime organization Lazarus Group, associated with North Korea, is using this trojan to attack banks and cryptocurrency companies. The trojan operates entirely in memory, making it difficult for traditional antivirus and forensic tools to detect. Attackers impersonate trading company employees via Telegram, using forged Calendly and Picktime links for social engineering attacks. The malware is loaded in a three-stage chain through DPAPILoader, RemotePELoader, and RemotePE, with the entire process avoiding contact with the file system, utilizing process hollowing, anti-analysis checks, and encrypted C2 communication to evade detection.This malware was first discovered in September 2025. In the first four months of 2026, the Lazarus organization has stolen approximately $577 million in cryptocurrency assets, accounting for 76% of the total global cryptocurrency theft. Since 2017, the organization has accumulated a total theft amount of $6 billion.

According to a report by Cointelegraph, a report released by cybersecurity company CrowdStrike shows that losses from cryptocurrency assets caused by North Korean hackers and threat actors exceeded $2 billion in 2025, a 51% increase year-on-year, despite a decrease in the number of attacks. CrowdStrike stated that North Korean hackers are the largest threat organization targeting cryptocurrency users, and the stolen funds are almost certainly used to finance the regime's military programs.Attackers prioritize high-value targets, mainly focusing on Web3 projects and cryptocurrency exchanges, as stolen funds are easier to cash out and transfer anonymously. In April of this year, the Ethereum Foundation identified 100 North Korean hackers, and the Drift Protocol was infiltrated by North Korean tech workers, resulting in a loss of $280 million, with these threat actors establishing face-to-face relationships through third-party intermediaries.

Web3 security company CertiK has released the "Skynet North Korea Cyber Threat Report." The data shows that since 2016, North Korean hacker groups have plundered approximately $6.75 billion in digital assets. In 2025 alone, the losses from thefts they orchestrated reached as high as $2.06 billion, accounting for nearly 60% of the total losses in the global cryptocurrency industry for the entire year (including the $1.5 billion Bybit theft case). As of early 2026, this threat trend continues, with losses accounting for about 55%.The report emphasizes that the attack patterns of North Korean hackers have undergone a fundamental shift, evolving from simple code vulnerability exploitation to a national-level attack system that combines social engineering, deep supply chain attacks, and "physical infiltration." In the recent Drift protocol incident, attackers even spent six months lurking at offline industry conferences, establishing trust through real funds and interpersonal interactions before executing their attack.CertiK security experts warn that in the face of such systemic attacks, simple technical defenses have become weak. Cryptocurrency institutions urgently need to fully implement a "zero trust" hiring model, strengthen third-party supply chains, establish fund circuit breaker mechanisms, and collaborate with professional security organizations to build a comprehensive lifecycle defense system covering code audits, round-the-clock risk monitoring, and on-chain anti-money laundering/KYT (Know Your Transaction) fund tracking.

U.S. Manhattan Federal Court Judge Margaret Garnett approved Aave's asset recovery plan following the rsETH attack incident, allowing approximately $71 million in ETH that had previously been frozen on Arbitrum to be transferred to a wallet controlled by Aave.Court documents show that this decision modifies a prior injunction against the Arbitrum DAO, allowing the community to complete the ETH transfer through on-chain governance voting, while exempting participants in the voting and execution of the transfer from related legal liabilities. This incident stems from the rsETH attack that occurred in April, which has been widely attributed to the Lazarus Group, linked to North Korea. Previously, lawyers representing the families of North Korean terrorism victims had sought to freeze the related assets and attempted to include them in the compensation for an outstanding judgment of approximately $877 million.The Arbitrum community has shown strong support in a Snapshot temperature check vote for returning the frozen ETH to Aave's recovery plan, but the actual transfer still requires formal approval through on-chain governance. Reports indicate that this case is also part of the U.S. plaintiffs' efforts to recover crypto assets associated with North Korea. In addition to Arbitrum, the plaintiffs had previously sued the privacy protocol Railgun DAO and listed Digital Currency Group (DCG) as one of the defendants, accusing it of participating in related governance and economic activities.

According to research by OpenSourceMalware, the North Korean hacker group Lazarus has adopted new techniques in malicious activities targeting developers, such as "infectious interviews" and "TaskJacker," hiding the second-stage loader in the pre-commit scripts of Git Hooks. "Infectious interviews" is a series of attack activities where the organization lures developers into cloning malicious code repositories by faking recruitment processes in the cryptocurrency/DeFi field, ultimately stealing crypto assets and credentials.Researchers recommend that developers who are asked to clone code repositories as part of the interview process should be wary of such risks and preferably run in an isolated environment to avoid mounting personal browser configurations, SSH keys, and cryptocurrency wallets.

According to FinanceFeeds, the victim's lawyer from North Korea attempted to redefine the rsETH attack incident that occurred on Aave as "fraud" rather than "theft" before a hearing at the Manhattan federal court, in order to maintain a freeze order on assets worth $71 million in ETH.The lawyer argued that the attacker borrowed assets using worthless collateral and did not repay, which constitutes a fraudulent loan transaction, aiming to use these frozen assets to pay for terrorism judgment compensation under the Terrorism Risk Insurance Act.Previously, hackers associated with the Lazarus Group minted unsecured rsETH through a cross-chain bridge vulnerability and borrowed approximately $230 million in assets from Aave, of which $71 million was intercepted by Arbitrum developers. The victim's lawyer also questioned Aave's standing, pointing out that its terms of service state it does not have control over user assets. Additionally, DeFi United has raised $327 million, exceeding the amount in dispute.

According to CoinDesk, Drift Protocol has announced a user recovery plan for the approximately $295 million security breach on April 1, attributed to a North Korean-backed hacker group.The core of the recovery plan is to issue receipt tokens representing verified user losses, with each token representing $1 of verified loss, which holders can redeem based on the value of the recovery pool accumulated over time. The initial funding for the recovery pool is approximately $3.8 million, and it is expected to grow through exchange revenue of up to $127.5 million, Tether support, and up to $20 million from partners, until it covers the total loss of approximately $295.4 million.Drift has frozen about $3.36 million USDC and launched a public bounty to recover 10% of the assets. Drift plans to relaunch on a "security-first" exchange in the second quarter. Legal recovery efforts are still ongoing.

According to CoinDesk, Ripple announced on Monday that it will share its internal intelligence on North Korean hackers with the cryptocurrency industry threat intelligence sharing organization Crypto ISAC to help businesses identify coordinated infiltration actions.This move comes against the backdrop of a recent shift in attack patterns faced by the cryptocurrency industry. Ripple stated, "The strongest crypto security posture is a shared posture. A threat actor who has not passed a background check at one company may submit resumes to three other companies in the same week. Without shared intelligence, each company starts from scratch."

According to The Block, North Korea has denied allegations of its involvement in cryptocurrency theft, calling the claims "absurd defamation" and a "political tool." The statement was released by state media, emphasizing that necessary measures will be taken to safeguard national interests.However, data from blockchain analysis firm TRM Labs shows that hacker groups associated with North Korea have stolen approximately $577 million, accounting for about 76% of global cryptocurrency theft losses during the same period. This includes two major attack incidents on KelpDAO (approximately $292 million) and Drift Protocol (approximately $285 million).TRM pointed out that the related attacks are mainly associated with the Lazarus Group and its sub-organizations. Since 2017, the cumulative scale of cryptocurrency theft linked to North Korea has exceeded $6 billion. U.S. and international agencies generally believe that such funds are used to support military and missile programs. Meanwhile, the U.S. Treasury has recently imposed sanctions on related individuals and entities, involving approximately $800 million in illegal fund flows for 2024.

MegaETH executive PaperImperium disclosed on platform X that documents from the U.S. District Court for the Southern District of New York show that the U.S. court has issued an injunction to Arbitrum DAO, prohibiting it from transferring approximately $71 million in ETH assets that were frozen during the KelpDAO hacking incident. The plaintiffs are attempting to use these funds to enforce unpaid judgment compensation related to North Korea's involvement in terrorism, kidnapping, and other cases over the years, and have applied to issue legal notice to Arbitrum DAO through alternative service, treating it as a "partnership organization" that can be held accountable.The court documents also indicate that Arbitrum DAO has a Security Council governed by ARB holders, which has the ability to take action in emergencies. Therefore, if relevant members refuse to cooperate, they may face legal liabilities such as contempt of court. The market believes that this case may become an important precedent for the U.S. judicial system directly constraining DAO governance structures and further highlights the compliance pressure on DeFi protocols within the real legal framework.

MegaETH supervisor PaperImperium disclosed on platform X that documents from the U.S. District Court for the Southern District of New York show that the U.S. court has issued a restraining order to Arbitrum DAO, prohibiting it from transferring approximately $71 million in ETH assets that were frozen during the KelpDAO hacking incident.The plaintiffs are attempting to use these funds to enforce unpaid judgment compensations related to North Korea's involvement in terrorism, kidnapping, and other cases over the years, and have applied to serve legal notice to Arbitrum DAO by alternative means, treating it as a "partnership organization" that can be held accountable. The court documents also indicate that Arbitrum DAO has a Security Council governed by ARB holders, which has the ability to take action in emergencies; therefore, if relevant members refuse to cooperate, they may face legal liabilities such as contempt of court. The market believes that this case may become an important precedent for the U.S. judicial system directly constraining DAO governance structures and further highlight the compliance pressures DeFi protocols face within real legal frameworks.

According to the latest report from TRM Labs, North Korean hackers stole nearly $600 million worth of cryptocurrency in the attacks on Drift Protocol and Kelp DAO, accounting for 76% of the total losses. TRM Labs estimates that since 2017, hackers associated with North Korea have stolen over $6 billion from cryptocurrency protocols and projects.The report shows that the share of losses caused by North Korean hackers in global cryptocurrency hacking attack losses has increased from less than 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025.

North Korean hackers had months of offline contact and infiltration with employees of Drift Protocol before launching one of the largest social engineering attacks in the history of the cryptocurrency industry, resulting in a loss of approximately $285 million.Data from blockchain security company TRM Labs shows that North Korean hackers have accounted for 76% of all cryptocurrency hacking losses in 2026 to date.

The latest report from blockchain intelligence agency TRM Labs shows that approximately 76% of global cryptocurrency hacking losses are related to organizations associated with North Korea, with a total stolen amount of about $577 million.North Korea's share of global crypto theft continues to rise: 22% in 2022, 37% in 2023, 39% in 2024, rising to 64% in 2025, and further increasing to 76% in 2026. Since 2017, the total illegal profits have exceeded $6 billion. The report points out that these losses mainly stem from two major incidents in April: a $292 million attack on KelpDAO and a $285 million theft from Drift Protocol, with the two attacks accounting for about 3% of all hacking incidents during the same period.

According to a research report by cybersecurity company Expel, it is tracking a highly assessed APT organization supported by North Korea (DPRK) called "HexagonalRodent," which primarily targets Web3 developers and specializes in stealing high-value digital assets such as cryptocurrencies and NFTs.The organization mainly conducts attacks by forging job postings—posting high-paying positions on LinkedIn and Web3 recruitment platforms to lure job seekers into completing "skills tests" embedded with malicious code, using the tasks.json feature of VSCode to automatically execute malicious programs when victims open project folders. The malware used includes BeaverTail, OtterCookie, and InvisibleFerret, which have capabilities for password theft, remote control, and reverse shell.It is noteworthy that the organization heavily utilizes generative AI tools such as ChatGPT and Cursor to develop malware, build fake company websites, and create AI-generated executive teams, even registering shell companies in Mexico to enhance the credibility of their attacks

According to CoinDesk, monitoring by CertiK reveals that the Lazarus Group is conducting an attack operation named Mach-O Man targeting executives in the fintech and cryptocurrency industries. This operation utilizes ClickFix social engineering techniques, sending fake online meeting invitations to lure victims into pasting repair commands on their Mac terminals, thereby gaining access to company and financial systems.CertiK researcher Natalie Newson stated that the Lazarus Group has stolen over $500 million through attacks on Drift and KelpDAO in the past two weeks. Mach-O Man is a modular macOS malware toolkit developed by the Chollima division of the Lazarus Group, capable of automatically deleting itself after use to evade detection.Additionally, attackers have implemented this attack by hijacking DeFi project domain names and replacing them with fake Cloudflare messages.

The Ethereum Foundation recently released a summary report on the ETH Rangers security project, revealing that during a 6-month security funding program, researchers identified approximately 100 suspected state-sponsored cyber operatives, including infiltrators from North Korea, who have been active in multiple Web3 projects.The report indicates that relevant investigations were advanced through projects like the "Ketman Project," where researchers issued warnings to about 53 blockchain projects, revealing that these individuals infiltrated development teams under false identities and participated in fund flows and technical positions. Meanwhile, some related funds have been frozen, amounting to hundreds of thousands of dollars. The security team also incorporated relevant intelligence into the threat analysis system for the Lazarus Group and disclosed it at security conferences such as DEF CON, showing that state-level cyber attacks are continuously infiltrating the infrastructure of the cryptocurrency industry.In terms of overall results, the program has frozen or recovered over $5.8 million in funds, reported or documented over 785 vulnerabilities, and handled 36 security incidents, indicating that the security threats currently faced by the Ethereum ecosystem have escalated from simple vulnerability attacks to systemic risks involving state-level actors. Additionally, the report points out that North Korean hackers have also infiltrated projects through methods such as "remote IT workers," involving various attack paths such as account takeovers, freelancing platform infiltrations, and fund transfers, making them a key target for industry prevention.The Ethereum Foundation emphasizes that the security of decentralized networks requires "decentralized defense" and will continue to support security research, threat intelligence, and talent development to address the escalating state-level cyber threats.

According to Cointelegraph, the Ethereum Foundation stated that its funded Ketman project identified 100 North Korean IT personnel lurking in Web3 organizations within six months and issued alerts to about 53 projects, indicating that they may have employed related personnel.The project focuses on the issue of "fake developers" in the cryptocurrency industry and is part of the ETH Rangers public safety funding program. Ketman also developed an open-source detection tool for identifying suspicious GitHub activity and collaborated with the Security Alliance to create an industry identification framework for recognizing North Korean IT personnel.

According to data from TheMinerMag, in the first quarter of 2026, publicly listed Bitcoin mining companies including MARA, CleanSpark, Riot, Cango, Core Scientific, and Bitdeer collectively sold over 32,000 BTC, surpassing the total amount sold throughout last year and even exceeding the sell-off levels triggered by the Terra-Luna collapse in Q2 2022, setting a "new record for a single quarter."The backdrop of this sell-off is the key metric for measuring miner profitability, "hashprice," which has fallen to a historical low of below $35 per PH/s per day, with about 20% of miners already in the red. Asset management firm CoinShares stated in its report: "Unless the BTC price rebounds significantly, high-cost miners will further capitulate in the first half of 2026."

The crypto wallet Zerion disclosed that North Korean hackers are using AI for long-term social engineering attacks, stealing approximately $100,000 from the company's hot wallet.Zerion confirmed that user funds, applications, and infrastructure were not affected, and has proactively disabled the web application as a precaution. Zerion also stated that the attackers obtained some session and credential information from team members who were logged in, as well as the private keys of the company's hot wallet, and pointed out that AI is changing the way cyber threats operate.