north

According to Cointelegraph, the Ethereum Foundation stated that its funded Ketman project identified 100 North Korean IT personnel lurking in Web3 organizations within six months and issued alerts to about 53 projects, indicating that they may have employed related personnel.The project focuses on the issue of "fake developers" in the cryptocurrency industry and is part of the ETH Rangers public safety funding program. Ketman also developed an open-source detection tool for identifying suspicious GitHub activity and collaborated with the Security Alliance to create an industry identification framework for recognizing North Korean IT personnel.

According to data from TheMinerMag, in the first quarter of 2026, publicly listed Bitcoin mining companies including MARA, CleanSpark, Riot, Cango, Core Scientific, and Bitdeer collectively sold over 32,000 BTC, surpassing the total amount sold throughout last year and even exceeding the sell-off levels triggered by the Terra-Luna collapse in Q2 2022, setting a "new record for a single quarter."The backdrop of this sell-off is the key metric for measuring miner profitability, "hashprice," which has fallen to a historical low of below $35 per PH/s per day, with about 20% of miners already in the red. Asset management firm CoinShares stated in its report: "Unless the BTC price rebounds significantly, high-cost miners will further capitulate in the first half of 2026."

The crypto wallet Zerion disclosed that North Korean hackers are using AI for long-term social engineering attacks, stealing approximately $100,000 from the company's hot wallet.Zerion confirmed that user funds, applications, and infrastructure were not affected, and has proactively disabled the web application as a precaution. Zerion also stated that the attackers obtained some session and credential information from team members who were logged in, as well as the private keys of the company's hot wallet, and pointed out that AI is changing the way cyber threats operate.

As the infiltration and attacks targeting the cryptocurrency industry continue to escalate, security experts point out that the core difference from hackers with backgrounds in other countries is that cryptocurrency assets have become an important direct source of financing for military expenses in that country. Reports indicate that during a recent months-long infiltration operation against Drift Protocol, North Korean hackers once again caused a stir in the industry.Experts state that this model is not merely a "fund transfer tool," but rather a direct "predatory profit" mechanism used to bypass international sanctions and obtain immediately usable hard currency. Security researchers note that, unlike countries such as Russia and Iran, North Korea almost entirely lacks sustainable foreign economic and commodity export capabilities, making it more reliant on cryptocurrency theft as a core source of income to support its nuclear weapons and ballistic missile programs.Experts also emphasize that North Korean hacker attack targets have expanded from simple phishing to exchanges, wallet services, and key holders of DeFi protocols, commonly employing long-term social engineering and identity disguise infiltration methods. Due to the characteristic of blockchain transactions being "irreversible once confirmed," the cryptocurrency industry is far weaker than the traditional financial system in terms of freezing and recovering funds, making such attacks more destructive in speed and scale. Security personnel warn that this type of "long-term infiltration + precise power seizure" attack model has yet to be effectively addressed by the industry.

According to ZachXBT, an anonymous source shared data stolen from North Korea's internal payment servers, covering 390 accounts, chat records, and cryptocurrency transaction information.The related payment wallet addresses have received over $3.5 million from the end of November 2025 to the present, with funds transferred out through exchanges or converted into fiat currency via platforms like Payoneer and deposited into Chinese bank accounts.On-chain tracking shows that the internal payment addresses are associated with known North Korean IT worker clusters, one of which had a Tron payment address frozen by Tether in December 2025. Three affiliated companies on the user list have been sanctioned by OFAC, including Sobaeksu. ZachXBT has compiled a complete organizational chart, with data covering from December 2025 to February 2026.

According to The Block, the Solana ecosystem decentralized exchange Stabble issued an emergency notice urging liquidity providers to withdraw their funds immediately, due to a North Korean employee who previously worked on the project. This warning appears to have been triggered by information from on-chain detective ZachXBT, who disclosed that a North Korean developer had worked for many years on the Solana DeFi infrastructure project Elemental.U.S. authorities had previously issued warnings that North Korean technicians were infiltrating crypto companies using false identities. Over the weekend, Drift Protocol stated that its $280 million attack incident was likely carried out by the same North Korean hackers responsible for the October 2024 Radiant Capital attack. Stabble responded that the North Korean employee seemed to have joined a year ago, and a new team took over the project four weeks ago, emphasizing that no attacks have occurred so far and that the warning was merely a precaution. Stabble stated that it would conduct a new audit to ensure LP safety.

Drift Protocol posted on platform X that the preliminary investigation into the attack on April 1, 2026, shows that the operation was orchestrated by the North Korean government-supported hacker group UNC4736 (also known as AppleJeus or Citrine Sleet). This organization has been interacting face-to-face with Drift contributors for six months since the fall of 2025, by sending intermediaries to attend cryptocurrency conferences and establishing fake quantitative trading companies, and inducing them to download malicious code repositories or applications. Currently, Drift has frozen all protocol functions and removed the compromised wallets from multi-signature. Mandiant has been invited to participate in a deep forensic investigation. The investigation confirms that the on-chain fund flows used to test the operation can be traced back to the Radiant Capital attackers in October 2024.

According to CoinDesk, blockchain analytics firm Elliptic stated that the Drift Protocol attack resulted in a loss of $285 million, with "multiple signs" pointing to the North Korean-supported DPRK hacker organization. Elliptic focused on analyzing on-chain behavior, money laundering techniques, and signals at the network level, all of which align with previous state-affiliated attacks.The Elliptic report noted: "If confirmed, this would be the 18th DPRK attack tracked by Elliptic this year, with over $300 million stolen to date." On a technical level, Elliptic described this attack as "premeditated and meticulously planned," with early test transactions and pre-positioned wallets prior to the main attack. After the execution of the attack, the funds were quickly consolidated and transferred across chains, converted into more liquid assets, forming an organized and repeatable money laundering process aimed at obscuring the source of funds while maintaining control.This incident involved over ten types of assets, with funds being transferred across chains from Solana to Ethereum and other chains, further highlighting the importance of cross-chain tracing capabilities. Drift Protocol is the largest decentralized perpetual contract trading platform on the Solana blockchain, and its token has dropped over 40% to approximately $0.06 since the hack.

Ledger's Chief Technology Officer Charles Guillemet stated that the attack method used in the Drift Protocol exploit is similar to the 2025 Bybit hacking incident, which is widely believed to be linked to North Korean hackers.Guillemet pointed out that this attack did not target any smart contracts; instead, the attackers infiltrated the devices of multi-signature signers over a long period, tricking them into approving malicious transactions. The signers may have always thought they were authorizing legitimate operations. He emphasized that the root of the problem lies in the lack of security at the personnel and operational levels, rather than in the code itself.

According to Bitcoin Magazine, North Carolina has officially proposed Bill No. 327, the North Carolina Bitcoin Reserve and Investment Act. The bill was initiated by Senators Johnson and Overcash and passed its first reading on March 19.The bill aims to authorize the state treasurer to allocate up to 10% of public funds to Bitcoin as part of the state's long-term financial strategy. The bill also allows for regulated yield-generating activities such as staking and lending, requires Bitcoin to be stored in multi-signature cold wallets, establishes a dedicated custodial department within the state, creates a Bitcoin Economic Advisory Committee for guidance, and mandates monthly audits.

According to PRNewswire, the crypto startup Evernorth, supported by Ripple, announced that it has publicly submitted an S-4 registration statement to the U.S. Securities and Exchange Commission (SEC) regarding its previously announced business combination with the SPAC company Armada Acquisition Corp. II, sponsored by Arrington Capital, with the goal of becoming an XRP treasury company listed on Nasdaq.Previously, in October last year, it was reported that Evernorth plans to go public in the U.S. and raise over $1 billion to accumulate XRP tokens.

Bitcoin payment service provider Bitrefill disclosed on platform X that it suffered a cyberattack on March 1, 2026, resulting in a customer data breach. The attack originated from a compromised employee's laptop and allowed the attackers to access certain databases and cryptocurrency wallets.Investigations revealed that the attack method was highly similar to past attacks on cryptocurrency companies by the North Korean DPRK Lazarus/Bluenoroff hacker group. Approximately 18,500 purchase records involved limited customer information (email, cryptocurrency payment addresses, and IP metadata), with about 1,000 records having customer name information stored in an encrypted format, but potentially accessible. Bitrefill stated that customers do not need to take special actions but are advised to be vigilant for unusual information.Bitrefill further added that it has currently shut down related systems for isolation and is collaborating with security experts, on-chain analysts, and law enforcement. Operations have nearly returned to normal. The company emphasized that it is long-term profitable and financially robust enough to absorb this loss and will continue to strengthen cybersecurity measures, including internal access controls, monitoring, and emergency response mechanisms.

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) announced sanctions against 6 individuals and 2 entities, accusing them of participating in a fraud scheme orchestrated by North Korea involving IT workers, with proceeds used to fund North Korean weapons programs.The sanctioned entities include the North Korean company Amnokgang Technology Development Company and the Vietnamese company Quangvietdnbg International Services Company Limited, whose CEO Nguyen Quang Viet is accused of laundering $2.5 million for the network through cryptocurrency. Do Phi Khanh, Hoang Van Nguyen, Yun Song Guk, Hoang Minh Quang, and York Louis Celestino Herrera are also sanctioned for their alleged involvement in the network. The fraud network operates in North Korea, Vietnam, Laos, and Spain.The sanctions freeze all assets of the aforementioned individuals and entities in the U.S. and prohibit them from engaging in any financial transactions or business dealings with the United States. OFAC will also add 21 cryptocurrency addresses on the Ethereum and Tron networks to the sanctions list. Chainalysis stated that the North Korean IT worker fraud scheme relies on stolen identities and fabricated identity information to secure positions in global companies and may implant malware in company networks to steal sensitive information.

Security research organization Ctrl-Alt-Intel disclosed that a group of hackers suspected to be linked to North Korea has targeted staking platforms, exchange software vendors, and cryptocurrency exchanges.The attackers exploited the React2Shell vulnerability (CVE-2025-55182) and compromised cloud environments using obtained AWS access credentials, enumerating resources such as S3, EC2, RDS, EKS, and ECR, and extracting keys and credentials from Secrets Manager, Terraform files, Kubernetes configurations, and Docker containers. Researchers stated that the attackers downloaded 5 Docker images and stole source code, including components related to ChainUp clients.The attack infrastructure involved a South Korean server 64.176.226[.]36 and the domain itemnania[.]com. The report indicated that this activity is consistent with North Korean-related attack characteristics, but the attribution confidence level is moderate, and the source of the AWS credentials remains unclear.

TradFi giant Northern Trust increased its holdings in Strategy MSTR by 11,629 coins, bringing its total holdings to 1.58 million coins, valued at $210.4 million.

GoPlus Chinese community issued a warning on platform X, stating that North Korean hackers have published a set of 26 malicious packages to the npm registry. These malicious packages come with an installation script ("install.js") that automatically executes during the package installation process, running malicious code located in "vendor/scrypt-js/version.js".The malicious code downloads and executes a remote access trojan (RAT) via the same malicious URL, implementing malicious activities such as keylogging, clipboard theft, browser credential collection, TruffleHog secret scanning of Git repositories, and SSH key theft. This incident is related to a North Korean hacking activity known as "Famous Chollima".

According to a report by Businesswire, TradFi giant Northern Trust announced the launch of a Tokenized Money Market Share Class for its NIF Treasury Instruments Portfolio, marking its official entry into the digital asset market.This tokenized share class serves as a blockchain "mirror record" of institutional-grade shares, digitizing the registration of holdings through blockchain technology. In the initial phase, it will be opened to investment clients on the LiquidityDirect platform under New York Bank in the United States.The tokenized money market share class typically refers to a type of share class established for specific investor groups or trading methods within tokenized money market funds, issued and managed in token form on the blockchain.

On-chain detective ZachXBT posted about the user @sexinfochina, stating, "This user deliberately concealed the fact that they are an online criminal operating the Chinese dark web market 'FreeCity'. They publicly promote certain illegal services on Telegram and knowingly facilitated five money laundering transactions for North Korean hackers. Two years ago, this user asked me to investigate the reason a CEX account was frozen, and I found that it traced back on-chain to a theft case involving over a hundred million dollars by North Korean hackers."In addition, ZachXBT responded, "Although most users of this dark web platform are Chinese, many illegal transactions occur in Southeast Asia and other places."

According to Cointelegraph, Mandiant, a U.S. cybersecurity company affiliated with Google Cloud, has discovered that a North Korea-linked threat organization is intensifying social engineering attacks against cryptocurrency and fintech companies.The threat group, codenamed UNC1069, has deployed seven malware families, including the newly discovered SILENCELIFT, DEEPBREATH, and CHROMEPUSH, aimed at obtaining sensitive data and stealing digital assets. The attackers exploit compromised Telegram accounts and use AI-generated deepfake videos to lure victims into fake Zoom meetings.Mandiant has been tracking this organization since 2018, but advancements in artificial intelligence have helped the group expand its malicious activities since November 2025. In one intrusion incident, the attackers used a stolen Telegram account of a cryptocurrency founder to initiate contact, inducing victims to execute "troubleshooting" commands containing hidden instructions through a so-called ClickFix attack.