hacker

According to a report by Cointelegraph, a report released by cybersecurity company CrowdStrike shows that losses from cryptocurrency assets caused by North Korean hackers and threat actors exceeded $2 billion in 2025, a 51% increase year-on-year, despite a decrease in the number of attacks. CrowdStrike stated that North Korean hackers are the largest threat organization targeting cryptocurrency users, and the stolen funds are almost certainly used to finance the regime's military programs.Attackers prioritize high-value targets, mainly focusing on Web3 projects and cryptocurrency exchanges, as stolen funds are easier to cash out and transfer anonymously. In April of this year, the Ethereum Foundation identified 100 North Korean hackers, and the Drift Protocol was infiltrated by North Korean tech workers, resulting in a loss of $280 million, with these threat actors establishing face-to-face relationships through third-party intermediaries.

According to a notice from Transit Finance, a security incident recently occurred in the project due to historical vulnerabilities in an old version of the smart contract deployed on TRON, which was deprecated in 2022, affecting a small number of users after being exploited.The team stated that after discovering the issue, they urgently completed investigation, isolation, and repair, and on May 12, further auditing and rectification were carried out. The currently used contract version has not been affected, has been running safely for over four years, and continues to undergo security audits and monitoring.Transit stated that affected users will receive full compensation, and specific plans will be announced through official channels. They also reminded users to be wary of counterfeit official messages and not to disclose private keys or mnemonic phrases.

According to Decrypt, Microsoft's threat intelligence department disclosed that attackers implanted malicious code into the Mistral AI package distributed through the PyPI platform. This malicious code automatically runs when developers use it on Linux systems, downloading a malicious file named transformers.pyz and executing it in the background, with the filename deliberately mimicking the widely used Hugging Face Transformers library to confuse users.Microsoft pointed out that this malware primarily steals developer login credentials and access tokens, and it avoids Russian systems. Some of the code can randomly delete device files located in Israel or Iran. This attack is related to the "Shai-Hulud" supply chain attack campaign that started in September. Mistral responded that investigations show the attack originated from compromised developer devices, and the company's infrastructure was not breached.

Web3 security company CertiK has released the "Skynet North Korea Cyber Threat Report." The data shows that since 2016, North Korean hacker groups have plundered approximately $6.75 billion in digital assets. In 2025 alone, the losses from thefts they orchestrated reached as high as $2.06 billion, accounting for nearly 60% of the total losses in the global cryptocurrency industry for the entire year (including the $1.5 billion Bybit theft case). As of early 2026, this threat trend continues, with losses accounting for about 55%.The report emphasizes that the attack patterns of North Korean hackers have undergone a fundamental shift, evolving from simple code vulnerability exploitation to a national-level attack system that combines social engineering, deep supply chain attacks, and "physical infiltration." In the recent Drift protocol incident, attackers even spent six months lurking at offline industry conferences, establishing trust through real funds and interpersonal interactions before executing their attack.CertiK security experts warn that in the face of such systemic attacks, simple technical defenses have become weak. Cryptocurrency institutions urgently need to fully implement a "zero trust" hiring model, strengthen third-party supply chains, establish fund circuit breaker mechanisms, and collaborate with professional security organizations to build a comprehensive lifecycle defense system covering code audits, round-the-clock risk monitoring, and on-chain anti-money laundering/KYT (Know Your Transaction) fund tracking.

On-chain detective ZachXBT exposed American threat actor Dritan Kapllani Jr, claiming he is suspected of participating in a social engineering theft targeting crypto users, totaling approximately $19 million. ZachXBT stated that Dritan has long flaunted luxury cars, high-end watches, private jets, and nightlife on social media. On April 23, 2026, during a "Band 4 Band (B4B)" voice chat on Discord, he publicly displayed an Exodus wallet containing $3.68 million in assets to prove he was wealthier than another hacker.The relevant ETH address is: 0x4487db847db2fc99372a985743a26f46e0b2bba6. ZachXBT tracked and found that this address is linked to a social engineering theft case involving 185 BTC (approximately $13 million) on March 14, 2026. The next day, Dritan's Exodus wallet received about $5.3 million of those funds. By the time of the B4B call six weeks later, about $1.6 million had been spent or laundered.On May 11, the U.S. Justice Department unsealed a criminal indictment against Trenton Johnson, who is accused of participating in the aforementioned 185 BTC theft case and could face up to 40 years in prison. "Coconspirator 1" in the indictment is alleged to be Dritan, who has not yet been formally charged. ZachXBT also pointed out that Dritan is connected to hacker John Daghita (Lick), who was previously arrested for stealing $46 million from the U.S. government, and John had exposed Dritan's old wallet address on Telegram.On-chain analysis shows that this address is related to multiple high-confidence social engineering theft cases in 2025, with a total amount involved exceeding $5.85 million. ZachXBT stated that Dritan has been active in "The Com" hacker circle for a long time and had previously not faced formal charges due to his minor status. He is now over 18 years old, and "the borrowed time may finally be over."

According to Decrypt, Google's Threat Analysis Group confirmed that cybercriminals used an AI model to discover and exploit a zero-day vulnerability in a popular open-source web management tool that could bypass two-factor authentication. Google stated that this is the first time the company has confirmed AI-assisted zero-day vulnerability development in a real-world environment. Before attackers could exploit it on a large scale, Google worked with the affected vendor to patch the vulnerability. Google's report noted that the vulnerability was a logic error, where the software trusted a condition that could bypass two-factor authentication. Unlike traditional scanners that look for crashes or error codes, AI analyzed the expected behavior of the software and detected logical contradictions, allowing attackers to bypass security checks without compromising encryption.

Renegade posted on platform X that a legacy V1 version of the protocol was attacked earlier this morning, resulting in a loss of approximately $209,000. White hat hackers have returned about $190,000, and all affected users will receive full compensation.The team confirmed that the issue only exists in the V1 Arbitrum deployment, and other deployments (V1 Base, V2 Arbitrum, V2 Base) are safe. All infrastructure supporting V1 Arbitrum transactions has been suspended, with no further risk to funds, and integrators do not need to take any action.

According to research by OpenSourceMalware, the North Korean hacker group Lazarus has adopted new techniques in malicious activities targeting developers, such as "infectious interviews" and "TaskJacker," hiding the second-stage loader in the pre-commit scripts of Git Hooks. "Infectious interviews" is a series of attack activities where the organization lures developers into cloning malicious code repositories by faking recruitment processes in the cryptocurrency/DeFi field, ultimately stealing crypto assets and credentials.Researchers recommend that developers who are asked to clone code repositories as part of the interview process should be wary of such risks and preferably run in an isolated environment to avoid mounting personal browser configurations, SSH keys, and cryptocurrency wallets.

Aave posted on platform X that the second phase of the rsETH event recovery technical plan has made progress. The 8 positions of the hacker on Aave V3 have been liquidated, and the recovered rsETH collateral has been handed over to the recovery custodian. The Arbitrum DAO has passed a proposal to return the previously recovered $71 million ETH.In response to the plaintiff's application for fund seizure, the judge has approved Aave LLC's proposal, allowing the transfer of the $71 million ETH to Aave LLC through on-chain voting by the Arbitrum DAO. Subsequent plans include destroying rsETH on Arbitrum and restoring the rsETH reserve. Once the reserve is restored, withdrawals will be reopened, and the WETH LTV on the Aave V3 Ethereum mainnet will be reinstated.

According to FinanceFeeds, the victim's lawyer from North Korea attempted to redefine the rsETH attack incident that occurred on Aave as "fraud" rather than "theft" before a hearing at the Manhattan federal court, in order to maintain a freeze order on assets worth $71 million in ETH.The lawyer argued that the attacker borrowed assets using worthless collateral and did not repay, which constitutes a fraudulent loan transaction, aiming to use these frozen assets to pay for terrorism judgment compensation under the Terrorism Risk Insurance Act.Previously, hackers associated with the Lazarus Group minted unsecured rsETH through a cross-chain bridge vulnerability and borrowed approximately $230 million in assets from Aave, of which $71 million was intercepted by Arbitrum developers. The victim's lawyer also questioned Aave's standing, pointing out that its terms of service state it does not have control over user assets. Additionally, DeFi United has raised $327 million, exceeding the amount in dispute.

According to CoinDesk, Drift Protocol has announced a user recovery plan for the approximately $295 million security breach on April 1, attributed to a North Korean-backed hacker group.The core of the recovery plan is to issue receipt tokens representing verified user losses, with each token representing $1 of verified loss, which holders can redeem based on the value of the recovery pool accumulated over time. The initial funding for the recovery pool is approximately $3.8 million, and it is expected to grow through exchange revenue of up to $127.5 million, Tether support, and up to $20 million from partners, until it covers the total loss of approximately $295.4 million.Drift has frozen about $3.36 million USDC and launched a public bounty to recover 10% of the assets. Drift plans to relaunch on a "security-first" exchange in the second quarter. Legal recovery efforts are still ongoing.

According to the latest report from TRM Labs, North Korean hackers stole nearly $600 million worth of cryptocurrency in the attacks on Drift Protocol and Kelp DAO, accounting for 76% of the total losses. TRM Labs estimates that since 2017, hackers associated with North Korea have stolen over $6 billion from cryptocurrency protocols and projects.The report shows that the share of losses caused by North Korean hackers in global cryptocurrency hacking attack losses has increased from less than 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025.

North Korean hackers had months of offline contact and infiltration with employees of Drift Protocol before launching one of the largest social engineering attacks in the history of the cryptocurrency industry, resulting in a loss of approximately $285 million.Data from blockchain security company TRM Labs shows that North Korean hackers have accounted for 76% of all cryptocurrency hacking losses in 2026 to date.

The latest report from blockchain intelligence agency TRM Labs shows that approximately 76% of global cryptocurrency hacking losses are related to organizations associated with North Korea, with a total stolen amount of about $577 million.North Korea's share of global crypto theft continues to rise: 22% in 2022, 37% in 2023, 39% in 2024, rising to 64% in 2025, and further increasing to 76% in 2026. Since 2017, the total illegal profits have exceeded $6 billion. The report points out that these losses mainly stem from two major incidents in April: a $292 million attack on KelpDAO and a $285 million theft from Drift Protocol, with the two attacks accounting for about 3% of all hacking incidents during the same period.

According to Arkham monitoring, the Kyber Network hacker is transferring stolen funds to Tornado Cash.The hacker Andean Medjedovic previously stole $48.8 million from KyberSwap at the end of 2023 and had also attacked Indexed Finance, stealing $16.5 million. He was indicted by the FBI in 2025.

In the past ten years, the cumulative loss was $17.1 billion, involving 518 incidents; in the past five years, the loss was approximately $15.2 billion, involving over 450 incidents; in the past year, the loss was about $2.5 billion, involving over 140 incidents. Recent losses indicate that crypto attacks have shifted from smart contract vulnerabilities to private key leaks and access control.

According to on-chain analyst Yu Jin's monitoring, the Balancer hacker has started exchanging ETH for BTC through THORChain, having already converted 14,300 ETH into 419.3 BTC (worth $32.51 million).He currently holds 7,700 ETH on the ETH chain and 419.3 BTC on the BTC chain, valued at $50.4 million. The assets he stole last November were worth $98 million, which has significantly decreased since the ETH price was around $3,600 at that time.

According to on-chain analyst Yu Jin's monitoring, the KelpDAO hacker exchanged all 75,700 ETH for BTC through THORChain yesterday. The hacker who stole $98 million in assets from Balancer last November also exchanged ETH for BTC through THORChain today.Today, the Balancer hacker has already exchanged 7,000 ETH for 204.7 BTC ($15.88 million) and is still continuing. Currently, the Balancer hacker holds 15,000 ETH ($34.65 million) on the ETH chain and 204.7 BTC ($15.88 million) on the BTC chain.

According to monitoring by Lookonchain, the Balancer attacker has become active again after a 5-month silence, having previously stolen nearly $120 million. They are currently laundering money by exchanging ETH for BTC through THORChain.In the past hour, the attacker has transferred 1,100 ETH (approximately $2.55 million) and is in the process of converting it to BTC.

According to a research report by cybersecurity company Expel, it is tracking a highly assessed APT organization supported by North Korea (DPRK) called "HexagonalRodent," which primarily targets Web3 developers and specializes in stealing high-value digital assets such as cryptocurrencies and NFTs.The organization mainly conducts attacks by forging job postings—posting high-paying positions on LinkedIn and Web3 recruitment platforms to lure job seekers into completing "skills tests" embedded with malicious code, using the tasks.json feature of VSCode to automatically execute malicious programs when victims open project folders. The malware used includes BeaverTail, OtterCookie, and InvisibleFerret, which have capabilities for password theft, remote control, and reverse shell.It is noteworthy that the organization heavily utilizes generative AI tools such as ChatGPT and Cursor to develop malware, build fake company websites, and create AI-generated executive teams, even registering shell companies in Mexico to enhance the credibility of their attacks