North Korean Hackers Siphon $1.5 Billion from Bybit in 2025

North Korean hacking groups have been targeting cryptocurrency systems for years, with the 2022 $625 million Ronin bridge exploit serving as an early warning. However, the threat has continued to evolve, with North Korean-affiliated attackers linked to numerous campaigns in 2025 aimed at siphoning value and compromising key players in Web3. These attacks have targeted significant assets, including $1.5 billion worth of assets at Bybit through credential-harvesting campaigns, with millions already laundered. Additionally, malware attacks on MetaMask and Trust Wallet users, as well as attempts to infiltrate exchanges, have been reported.

While large-scale thefts often grab the headlines, the reality is that the weakest link in Web3 is not smart contracts but human operational vulnerabilities. Nation-state attackers no longer need to find zero-days in Solidity; instead, they exploit operational vulnerabilities such as poor key management, nonexistent onboarding processes, unvetted contributors pushing code from personal laptops, and treasury governance conducted via Discord polls. Despite the industry's emphasis on resilience and censorship resistance, many protocols remain soft targets for serious adversaries.

Oak Security, which has conducted over 600 audits across major ecosystems, consistently identifies a gap where teams invest heavily in smart contract audits but overlook basic operational security (OPSEC). This oversight leads to compromised contributor accounts, governance capture, and preventable losses. The assumption that secure code equates to a safe protocol is not only naive but also dangerous. Smart contract exploits are no longer the preferred method of attack; it is easier and often more effective to target the people running the system. Many DeFi teams lack dedicated security leads, managing enormous treasuries without anyone formally accountable for OPSEC.

Operational security failures are not limited to state-sponsored groups. In May 2025, an overseas support agent at Coinbase was bribed by cybercriminals to illegally access customer data, resulting in a $180–$400 million remediation and ransom limbo. Similar attempts were made on Binance and Kraken. These incidents were not driven by coding errors but by insider bribery and human failures. Across the industry, contributors are often onboarded via Discord or Telegram without identity checks, structured provisioning, or verifiably secure devices. Code changes are frequently pushed from unvetted laptops with little to no endpoint security or key management. Sensitive governance discussions occur in unsecured tools like Google Docs and Notion, lacking audit trails, encryption, or proper access controls. When issues arise, most teams lack a response plan, designated incident commander, or structured communication protocol, leading to chaos.

This operational negligence is not decentralization; it is a systemic vulnerability. There are DAOs managing significant funds that would fail a basic OPSEC audit. Treasuries are guarded by governance forums, Discord polls, and weekend multisigs, making them open invitations for bad actors. Until security is treated as a full-stack responsibility, from key management to contributor onboarding, Web3 will continue to leak value through its softest layers.

Traditional financial institutions (TradFi) are frequent targets of attacks from North Korean hackers and others, losing millions each year. However, it is rare to see a traditional financial institution collapse or pause operations due to a cyberattack. These organizations operate on the assumption that attacks are inevitable and design layered defenses to reduce the likelihood of attacks and minimize damage when exploits occur. This culture of constant vigilance is largely absent in DeFi.

In a bank, employees do not access trading systems from personal laptops. Devices are hardened and continuously monitored. Access controls and segregation of duties ensure that no single employee can unilaterally move funds or deploy production code. Onboarding and offboarding processes are structured, and credentials are issued and revoked with care. When something goes wrong, incident response is coordinated, practiced, and documented, not improvised in Discord. Web3 needs to adopt similar maturity, adapted to the realities of decentralized teams.

This starts with enforcing OPSEC playbooks from day one, running red-team simulations that test for phishing, infrastructure compromise, and governance capture, not just smart contract audits, and using multi-signature wallets backed by individual hardware wallets or treasury management. Teams should vet contributors and perform background checks on anyone with access to production systems or treasury controls, even in teams that consider themselves fully decentralized. Some projects are starting to lead in this area, investing in structured security programs and enterprise-grade tooling for key management. Others leverage advanced Security Operations (SecOps) tooling and dedicated security consultants. However, these practices remain the exception, not the norm.

Decentralization is no excuse for negligence. Nation-state adversaries understand this ecosystem and are already inside the gates. The global economy is increasingly reliant on on-chain infrastructure, and Web3 platforms urgently need to employ and adhere to disciplined cybersecurity practices to avoid becoming a permanent funding stream for hackers and scammers seeking to undermine them. Code alone will not defend us; culture will.