Kim Jong-Un's Crypto Side Hustle: How North Korea Became the Unwanted Whale of the Blockchain

North Korea's crypto theft isn't just another state-backed hacking operation — it's a matter of economic survival. And that makes the regime uniquely dangerous to the crypto ecosystem. While Russia and Iran still have economies to prop up — oil exports, trading partners, goods to move — North Korea has almost nothing left. Comprehensive international sanctions have gutted its ability to sell anything internationally. That's why, according to security experts, North Korea treats crypto differently than any other sanctioned nation.

"Russia needs crypto as a payment rail, but not for much else. Iran has goods to move — sanctioned oil, proxy financing networks. North Korea needs direct revenue," said Dave Schwed, chief operating officer at SVRN and founder of the cybersecurity masters program at Yeshiva University. "Crypto theft gives them immediate access to liquid value, globally, without needing a counterparty willing to do business with them."

That urgency explains why North Korean hackers carry out large-scale, traceable heists on public blockchains instead of quietly using crypto to evade sanctions the way other state actors do. The UN and multiple intelligence agencies have confirmed that crypto theft is a primary funding mechanism for North Korea's nuclear and ballistic missile development.

The distinction is critical: Russia and Iran treat crypto as infrastructure — a means to broader geopolitical ends. North Korea treats the ecosystem itself as the target. These aren't just ransomware gangs with a flag emoji in their Telegram bio — they're literally yanking liquidity from protocols to keep the missile program funded while the rest of us argue about tokenomics on Twitter.

"Their targets are exchanges, wallet providers, DeFi protocols and the individual engineers and founders who have signing authority or infrastructure access," said Alexander Urbelis, chief information security officer at ENS Labs and a professor of cybersecurity at King's College London. "The victim is whoever holds the keys."

That singular focus has pushed North Korean operatives to adopt tactics more commonly associated with intelligence agencies than criminal hackers: months-long relationship building, fabricated identities, and supply chain infiltration. Their six-month campaign targeting crypto platform Drift is just the latest example. We're not talking about some guy in a basement spamming phishing links — this is state-level social engineering with more patience than a validator waiting for finality during congestion.

"You're not defending against a phishing email from a random scammer," Urbelis said. "You're defending against someone who spent six months building a relationship specifically to compromise one person who has the access you need to protect."

Crypto's architecture makes it a uniquely attractive hunting ground. Unlike traditional finance, where compliance checks and settlement delays can block or reverse fraudulent transfers, crypto transactions are final once confirmed. The Bybit exploit last year moved $1.5 billion in roughly 30 minutes — a pace that would be nearly impossible in traditional banking. In TradFi, someone might actually answer the phone. In crypto, the code is law until it's your funds flying out the window.

In crypto, the window to freeze funds or reverse a wire barely exists. Stopping an attack before it happens isn't just preferable — it's essentially the only option. The blockchain doesn't have a customer service number, and your $50 million in ETH isn't getting recovered by filing a ticket.

"This is the hardest operational security problem in crypto right now," Urbelis said. "I don't think the industry has solved it."