387 reports
TRM Labs attributes about USD 577 million in 2026 crypto theft through April to North Korean hacking groups, with Drift Protocol and KelpDAO accounting for 76% of all crypto hack losses in that period. The Drift attack involved weeks of on-chain staging, …
HexagonalRodent is presented as a DPRK-attributed crypto-theft operation overlapping with Famous Chollima, Contagious Interview, and the broader Lazarus/TraderTraitor ecosystem. The campaign targets Web3 and DeFi developers through AI-generated LinkedIn r…
The episode describes DPRK-linked Contagious Interview activity using fake coding interviews to turn developer work into credential theft. The preserved notes focus on malicious coding tests, developer workstation compromise, malware infrastructure, and t…
Red Asgard launched The Fake Interview as an audio companion to its Hunting Lazarus research series on the DPRK-linked Contagious Interview campaign. The source says the written investigation tracks fabricated companies, persona operators, malicious repos…
RedAsgard found five Lazarus/Contagious Interview operator workstations inside the campaign's own victim database, showing that the credential-theft pipeline also consumed the people running it. The campaign targeted cryptocurrency, Web3, developer, and f…
ReversingLabs linked PromptMink to the North Korean-linked Famous Chollima group, describing a software-supply-chain campaign that used layered npm packages to target Web3 and crypto development workflows. A Claude Opus co-authored commit added the malici…
SOOHO.IO's bulletin describes the April 18, 2026 KelpDAO rsETH bridge incident, in which 116,500 rsETH, about $290 million to $294 million, was released from the Ethereum escrow contract without a valid source-chain burn. The source frames the failure as …
South Korea’s threat landscape is described as heavily shaped by North Korea-linked actors targeting government, defense, finance, cryptocurrency, media, policy, and technology sectors. Lazarus Group is associated with both espionage and financially motiv…
The article frames unauthorized access to a controlled AI model preview through a third-party contractor as a supply-chain and sanctions problem relevant to DPRK cyber operations. It argues that North Korea-linked actors such as Lazarus and TraderTraitor …
The Risky Biz Between Two Nerds episode discusses what the North Korean hack of Drift may reveal about future hacking trends. The excerpt identifies the content as an analytical podcast conversation between Tom Uren and The Grugq rather than a technical I…
Arctic Wolf attributes a targeted intrusion against a North American Web3 and cryptocurrency company with high confidence to BlueNoroff, a financially motivated Lazarus Group subgroup. The attack began with spear-phishing that impersonated a Fintech legal…
LeenLee Country Club in Gapyeong disclosed a customer-data breach after police notified the company that its website server showed signs of malware infection. Korean police were tracking activity by a hacking group under North Korea's Reconnaissance Gener…
NK Internet tracks a DPRK-style fake developer and company cluster that pivoted after earlier Mentonex-related accounts and companies were taken down. The investigation connects Nixsora.com and GitHub personas such as vexxloso, trader389, walletdiscover10…
A KelpDAO cross-chain bridge failure released 116,500 rsETH after LayerZero's single required DVN accepted a forged Unichain-to-Ethereum message. The excerpt says preliminary attribution points to North Korea's Lazarus Group, while also noting unresolved …
Panther Threat Research tracked a DPRK-linked npm supply-chain campaign that published 108 malicious packages and 261 versions between March 20 and April 20, 2026. The activity is attributed with high confidence to Famous Chollima / DeceptiveDevelopment b…