Mandiant describes DPRK-linked Web3 heists in which North Korean threat actors use both social engineering and supply-chain access to compromise cryptocurrency organizations and drain wallet funds. Recent cases included fake LinkedIn recruiting and coding challenges that delivered COVERTCATCH to macOS systems, plus a malicious finance job-description PDF that dropped the Rust-based RUSTBUCKET backdoor and used a Launch Agent disguised as a Safari update. After initial access, DPRK actors have been observed moving toward password managers, code repositories, documentation, and cloud-hosted secrets, including AWS SSM parameters containing production wallet private keys and credentials. The reporting highlights why early detection in the attack lifecycle matters for exchanges, since some intrusions have shown dwell times of up to 12 months before theft.