.png)
Executive Summary
Augur is tracking a growing number of campaigns targeting decentralized finance organizations through Smart Contract manipulation, blockchain native malware, and social engineering at the human trust layer. As traditional financial institutions harden their digital perimeters, North Korean (DPRK) state-sponsored actors have pivoted almost entirely towards decentralized finance (DeFi) targets, where the lack of central regulation and the speed of blockchain transactions provide a high-velocity path to payouts for threat actors. Unlike traditional cyber espionage, these operations are often months-long and surgical, designed to wear down traditional employees and steal assets within minutes of initial access.
Augur Provides Unique Insight on Infrastructure
Augur made this research possible by exposing the infrastructure layer behind DPRK DeFi operations before the intrusions were publicly announced. Rather than relying on post-incident indicators, the analysis used Augur’s CIDR-based clustering to track long-lived staging environments, infrastructure reuse, and provider tendencies across multiple North Korean campaign lines. That visibility made it possible to identify links between clusters years before the associated toolsets and intrusions became publicly known, indicating that DPRK-aligned operations against the sector were not isolated events but part of a durable, trackable campaign. The report identifies the infrastructure supporting these operations, as well as the tradecraft increasingly used by DPRK threat actors in DeFi campaigns.
Key Takeaways
The current threat landscape is characterized by heightened risks of identity theft, supply chain poisoning, and infrastructure hijacking. Augur's analysis of recent breaches, including the ByBit and KelpDAO infiltrations, reveals that DPRK operators are no longer primarily focused on software vulnerabilities. Instead, operators aggressively target signing workflows and the JSON-RPC nodes that govern DeFi protocol authority.
- The Primary Shift: Attackers have advanced to "logging in" through the harvesting of administrative credentials and multi-signature keys, primarily through social engineering.
- The Defensive Gap: Traditional telemetry and signal-based detection fail because they trigger post-compromise. By the time a DeFi alert is generated, the cryptographic keys have already been repurposed to drain the protocol.
The Augur Edge: Preemptive monitoring of staging infrastructure remains the only effective method to neutralize the kill chain before it reaches the blockchain.
Background
DeFi has emerged as a primary target for financially motivated cyber operations due to its inherent liquidity and limited regulatory oversight. In contrast to traditional financial systems, DeFi platforms operate through self-regulating, digital agreements that are automatically executed when platform conditions are met. These agreements, or smart contracts, strip defenders of the review, enforcement, and recovery controls that are commonplace in traditional finance. This creates an environment where fraudulent activity is often indistinguishable from legitimate transactions. Once a malicious transaction is validated, defenders have limited recourse to track or recover stolen assets.
North Korean-linked threat groups have operationalized this targeting as a cornerstone of their new national strategy. DPRK-aligned clusters in particular have focused almost solely on crypto targets, leveraging a combination of social engineering, supply chain compromise, and blockchain-native tradecraft to gain access to high-value environments. Chainalysis tracking estimates that DPRK-linked hackers stole roughly $2.02 billion in 2025, with their cumulative total rising to about $6.75 billion in 2026. The Office of Foreign Assets Control (OFAC) has tied these crypto schemes directly to the financing of North Korea’s weapons of mass destruction and ballistic missile programs, as well as sanctions evasion activity identified in March 2026. These operations prioritize tactical speed and scalability, with rapid initial access and fund extraction occurring in minutes, ensuring that stolen capital is obfuscated and laundered before defensive intervention can occur.
State-Sponsored Actors Weaponize the Blockchain
The DeFi threat landscape is increasingly threatened by state-sponsored financial actors and their adoption of blockchain-specific tradecraft. DPRK clusters like Lazarus and 5142, including successors to the APT 38 lineage, UNC1069 and UNC5342, have been tracked using tools such as EtherHiding to exploit the DeFi trust layer; this is the first time such a method has been used by a nation-state actor. In 2024, UNC1069 (a Lazarus sub-group) executed a sophisticated social engineering campaign targeting developers at WazirX and several decentralized liquidity providers. Operators utilized a fake recruitment pipeline, conducting multi-stage technical interviews over Zoom and Telegram to leverage developers into downloading "coding assessments" that were actually customized infostealers. These payloads, designed to bypass signature-based detection and compromise their Multi-Signature administrative workstations, gave operators full control over the chain’s contract-upgrade functions, enabling them to drain over $230 million in a single act.
DPRK financial operations thrive in the DeFi ecosystem because they lack the inter-protocol freeze capabilities and Travel Rule enforcement found in centralized finance. Rather than struggling with costly attempts against traditional bank targets, North Korean operators have now begun leveraging cross-chain bridges and automated market makers (AMMs) to instantly swap stolen assets for unmonitored stablecoins. This pipeline was exposed in March 2026 when OFAC sanctions were expanded to include a network of automated "bridge mixers" that the DPRK used to obfuscate the origin of funds stolen from the Horizon and Ronin bridge-validator compromises. With no regulatory authority to pause or validate these transactions, actors can turn stolen crypto into untraceable, irreversible liquidity, ensuring funds remain beyond the reach of law enforcement.
Augur’s recent tracking of DPRK operations highlighted this shift, with malware analysis and infrastructure telemetry indicating a shift in delivery and persistence tactics used by North Korean operators. Operators have moved beyond resource-intensive cryptojacking to blockchain native malware. Now, operators use public ledgers like an indestructible command-and-control (C2) layer. Groups like UNC5342 and UNC5142 have abandoned traditional C2 tactics in favor of EtherHiding, a technique that embeds malicious payloads within smart contract transactions on the BNB Smart Chain (BSC). The malware loader on the victim’s machine queries a specific contract address on the blockchain to retrieve its next stage instructions, which are stored as immutable code. These on-chain packages later complicate detection and response as developers often ignore or lack practical opportunities to inspect and validate hosted content before retrieval. Additionally, defenders and law enforcement cannot rely on traditional takedown mechanisms once the code is embedded in blockchain. This allows operator malware to remain accessible as long as the underlying chain is accessible.
DeFi Kill-Chain
The DeFi kill chain is a specific threat model favored by North Korean actors because it eliminates the most difficult stage of traditional cybercrime: the “cash out” process. Unlike enterprise intrusions, DPRK operators focus exclusively on the signing workflow, where the compromise of one credential is equivalent to the transfer of an asset. By compromising the cryptographic keys used to authorize protocol changes or asset transfers, operators achieve technical finality—a term describing the point at which a transaction is immutable and irreversible—within minutes of initial access. This methodology was used in the Wormhole, Ronin, and KelpDAO compromises, where the focus remained on administrative infrastructure, allowing actors to bypass perimeter security entirely.
Developer Targeting and Supply Chain Compromise
DPRK groups have industrialized the compromise of the Human Trust Layer. The ByBit and KelpDAO incidents in 2025-2026 demonstrated that the most lucrative path into a DeFi protocol is through a trusted developer’s workstation. Developers frequently maintain "hot" copies of private keys or session tokens for RPC nodes (the servers that talk to the blockchain) on their machines. Compromising these workstations gives operators a direct bypass for the protocol's on-chain defenses and moves them directly to the administrative layer, allowing them to push malicious code updates or initiate unauthorized transfers as a trusted entity.
Wallet and Smart Contract Abuse
Once an administrative workstation is compromised, DPRK actors pivot to aggressive Workflow Abuse. This involves bypassing the Quorum, or minimum number of authorized signatures (e.g., 5 out of 9) required to move funds from a wallet. In the KelpDAO breach (April 2026), Lazarus actors did not exploit a bug in the smart contract code; instead, they used a combination of node poisoning and DDoS attacks to force the verification network to run on compromised nodes. With a majority of the nodes and wallet keys under their control, operators were able to "vote" and approve a fraudulent transfer of $290 million. As the infrastructure surrounding the contract is the primary exploit path, operators can hijack the built-in trust of the blockchain to initiate the next stage of the kill chain: automated asset movement across networks.
Cross-Chain Movement and Extraction
The subversion of administrative credentials lets DPRK operators seamlessly transition into asset extraction. In this stage, chain environments have no built-in defenses to pause transactions once executed. Now, the lack of central regulation or transfer “cooldowns” becomes the actors' greatest advantage. Once empowered with developer keys, operators can execute automated scripts and move stolen assets across cross-chain bridges and automated market makers (AMMs), turning stolen currency into immediate, irreversible liquidity. These operations benefit greatly from this model, as the speed and finality of this tactic outpaces defender investigation and freezing efforts from law enforcement.
Case Studies
DPRK clusters demonstrate a high degree of adaptability, moving between small and large decentralized targets based on the potential for immediate liquidity. The following cases illustrate a growing trend from simple theft to system subversion of cryptographic infrastructure.
ByBit and Persistent Credential Harvesting (2025)
The Bybit heist stands as the largest documented exploit in history, executed through a multi-pronged attack on the SafeWallet infrastructure. Operators from UNC1069 (associated with Lazarus) targeted a lead developer by posing as an open-source contributor, successfully delivering a malicious Docker container that harvested AWS session tokens and hot wallet keys stored in memory. Unlike previous "smash and grab" operations, the actors maintained access for several weeks, mapping the internal signing workflows and specific workstations responsible for chain liquidity management. Rather than attacking the exchange’s core ledger, actors surgically replaced a legitimate JavaScript file within the transaction interface with a rigged version. When the CEO initiated a routine cold wallet transfer, the malicious script intercepted the request in real time, redirecting $1.5 billion in Ethereum to actor-controlled addresses while displaying a legitimate transaction confirmation to the signer.
KelpDAO and JSON-RPC Layer Poisoning (April 2026)
The KelpDAO breach utilized a sophisticated Man-in-the-Middle (MitM) attack targeting the protocol's network communication layer. Lazarus actors compromised the JSON-RPC endpoints used by the protocol’s front and back ends to query the blockchain status. Actors then fed the protocol forged state data, convincing the internal logic that a large-scale deposit had been verified. The fake data poisoning allowed the actors to trigger a massive complementary withdrawal of $290 million from the actual liquidity pool. As decentralized finance becomes more common, the integrity of the smart contract logic is secondary to the security of the RPC layer, as compromising the infrastructure below allows actors to inject fraudulent data that the protocol must act on.
Drift Protocol and Oracle Collateral Manipulation (2026)
The Drift Protocol exploit was a six-month operation that relied heavily on social engineering, with the operation culminating in the creation of an entirely fictitious legal entity. Actors built a rapport with contributors of the Drift protocol over several months before tricking Drift’s Security Council into pre-signing transactions via Solana’s DurableNonce system. Unbeknownst to Drift, the actors had launched a fake token, CarbonVote Token or CVT, weeks earlier. They seeded it with 750 million worthless tokens and used wash trading to manipulate pricing systems into treating CVT as legitimate collateral. By deploying their pre-signed administrative overrides, the actors raised their own borrowing limits and "borrowed" $285 million in real assets against their valueless CVT tokens, hollowing out the liquidity pool from the inside in less than 12 minutes. Augur researchers noted this breach specifically for its deep understanding of Solana-based program logic, with the attack indicating significant technical ability in manipulating complex financial contracts.
Who’s At-Risk?
Targeting for these operations is no longer limited to high TVL (Total Value Locked) protocols. DPRK actors have expanded their scope to include:
- Infrastructure Providers: RPC node operators, bridge validators, and decentralized storage providers.
- DevOps and Core Contributors: Individuals with "sudo" level access to GitHub repositories or multi-signature shards.
- Cross-Chain Bridges: Any protocol facilitating the movement of assets between disparate blockchains, as these serve as the primary laundering exits.
Traditional security relies on telemetry and signal-based behavioral detection, mechanisms which are often too late in DeFi compromises. In the crypto kill-chain, these are "post-compromise" signals; by the time EDR fires, crucial private keys are gone. Augur monitoring indicates that preemptive infrastructure blocking and actor tracking remain the most effective defensive against smart contract-based malware and DPRK-linked actors. Because the kill chain relies on the actor's ability to communicate with staging infrastructure (e.g., C2 servers, malicious RPC nodes, or coding test delivery sites), blocking these assets at the network boundary neutralizes their threat before it reaches critical workflows. Moving the defensive line from the endpoint to the infrastructure layer is the only way to prevent threat actors from stealing crypto assets.
Augur Analysis
Augur's predictive clustering platform identified North Korean staging infrastructure years before the tools it carried appeared in public breach disclosure. The TraderTraitor toolset (BeaverTail, InvisibleFerret, FrostyFerret), a credential harvesting stack used to compromise developer workstations and browser wallet keys in the ByBit and KelpDAO intrusions, was first flagged by Augur in April 2019, more than six years before those tools reached their initial DeFi targets. The WageMole cluster, which powers a separate fake recruitment pipeline DPRK operators use for fraudulent employment, was generated in November 2021 and remained active throughout March 28, 2026. In every major Augur tracked cluster, DPRK operators demonstrated a consistent preference for permissive, abuse-resistant hosting providers - DEDIPATH LLC (US), Inq Digital Nigeria, and Vox-Telecom (South Africa) - selected specifically for anonymized provisioning, abuse-resistant uptime, and geographic misdirection.
Augur's CIDR-based clustering exposes the operational relationships between these campaigns: the initial cross platform DACLS RAT (Linux, macOS, Windows) staged since 2016 reflects a deliberate focus on cross-platform developer targeting; the AppleJeus cluster carries direct lineage identifiers from the early Lazarus crypto exchange targeting to its current DeFi operations; and the LazarusGroup flagship cluster has been in continuous detection since November 2012, with increased activity and CIDR detections as recently as March 29, 2026. This infrastructure remained hot through the KelpDAO breach and expansion of OFAC sanctions, indicating that DPRK staging and cross-chain operations continued unabated.
Conclusion
In DeFi environments, where on-chain transactions are irreversible and post-compromise intervention impossible, infrastructure-layer preemption, like the type Augur provides, is the only defensive action that can be deployed before assets are stolen.
Blocking BeaverTail C2 nodes before InvisibleFerret is delivered ends the credential harvest. Blocking WageMole staging servers before the poisoned coding assessment reaches a developer ends the recruitment pipeline. Even blockchain-native C2 mechanisms like EtherHiding, which embed malicious payloads within immutable infrastructure, depend on traditional staging infrastructure to deliver their initial loader to the victim machine.
Augur's visibility into that delivery layer allows the chain to be severed before the loader ever queries the blockchain, neutralizing the threat before it becomes a permanent, takedown-resistant C2.
Organizations with Augur blocking enforced against the DEDIPATH LLC 171.22.x.x range as of April 2019 had the TraderTraitor delivery infrastructure neutralized more than six years before those tools were operationalized against ByBit. Defensive action against the DEDIPATH LLC and associated DPRK infrastructure is a measurable standard: Augur clustering preempted infrastructure behind the TraderTraitor toolset, and greater Lazarus ecosystem, over six years before malware was operationalized against a target; a lead time that renders every downstream breach preventable.
For questions or additional analysis, contact: research@augursecurity.com
