Mandiant frames DPRK activity as a central driver of high-value Web3 theft, citing the Ronin bridge heist of more than $600 million and earlier APT38 bank-heist experience. Recent exchange intrusions used fake recruiting over LinkedIn to deliver COVERTCATCH in a Python coding challenge, while a finance-themed malicious PDF dropped the Rust-based RUSTBUCKET backdoor and used autoserverupdate[.]line[.]pm as C2. The report also ties DPRK operators to supply-chain footholds such as JumpCloud and 3CX, followed by credential theft, password-manager access, cloud reconnaissance, wallet-key exposure, and rapid draining of production cryptocurrency wallets.