North Korean hacking groups have escalated their attacks on the cryptocurrency sector, moving from technical exploits to targeting human vulnerabilities in decentralized protocols. The infamous 2022 Ronin bridge attack, which resulted in a $625 million loss, was just the beginning of a more sophisticated campaign. In 2025 alone, these state-affiliated actors have attempted to steal $1.5 billion from Bybit by exploiting credential vulnerabilities. This shift in tactics highlights the growing need for enhanced security measures and awareness in the crypto space to combat such threats.
North Korean Hackers Target Decentralized Crypto Protocols, Exploiting Human Vulnerabilities
North Korean hacking groups have intensified their focus on the cryptocurrency sector, shifting from technical exploits to human vulnerabilities in decentralized protocols. The 2022 Ronin bridge attack, which netted $625 million, was merely a precursor to more sophisticated campaigns.
In 2025 alone, these state-affiliated actors have attempted to steal $1.5 billion from Bybit through credential-harvesting schemes, while simultaneously targeting MetaMask and Trust Wallet users with malware. Their tactics now include infiltrating exchanges via fake job applicants and establishing U.S. shell companies to compromise crypto developers.
The security gap lies not in smart contract code but in operational practices. Decentralized teams frequently neglect basic safeguards: poor key management, lax contributor vetting, and governance conducted through Discord polls. While the industry touts censorship resistance, these systemic weaknesses persist.
Oak Security's audit data reveals a troubling pattern—teams prioritize smart contract reviews while overlooking fundamental security hygiene. The result is an ecosystem where nation-state actors bypass technical defenses by exploiting human factors.
ZachXBT Accuses Garden Finance of Laundering $1.4B Bybit Hack Funds
On-chain investigator ZachXBT has alleged that decentralized finance protocol Garden Finance facilitated the laundering of funds stolen in the $1.4 billion Bybit hack. The accusation, made public via social media platform X, claims over 80% of Garden Finance's recent $300,000 fee revenue derived from processing illicit transactions tied to the breach.
The February 2025 attack on Bybit, attributed to North Korea's Lazarus Group, exploited vulnerabilities in multi-signature authentication to siphon 401,347 ETH. Garden Finance's co-founder Jaz Gulati had previously touted $4 million in total protocol fees without disclosing the alleged connection to stolen funds.
Garden Finance operates as a cross-chain Bitcoin swap platform with transactions completing in 30 seconds. The allegations raise significant concerns about DeFi protocols' potential role in enabling large-scale money laundering operations.
