North Korean hackers are exploiting cybersecurity weaknesses in decentralized protocols, targeting individuals and organizations. Learn how to bolster your defenses.

Decentralized Protocols Under Siege: North Korean Hackers and the Cybersecurity Gap

The world of decentralized protocols, once hailed as the epitome of security and resilience, is facing a rude awakening. North Korean hackers are increasingly targeting this space, exposing critical cybersecurity gaps that threaten the entire ecosystem. The focus is no longer on smart contract vulnerabilities, but on the human element and operational security (OPSEC).

The Evolving Threat Landscape

Forget zero-day exploits in Solidity. Nation-state attackers are now exploiting the operational vulnerabilities of decentralized teams. Poor key management, nonexistent onboarding processes, unvetted contributors pushing code from personal laptops, and treasury governance conducted via Discord polls are all prime targets. As Oak Security's experience shows, many protocols are soft targets for serious adversaries, despite heavy investment in smart contract audits.

In 2025 alone, North Korean-affiliated attackers have been linked to campaigns targeting $1.5 billion in assets at Bybit through credential-harvesting, malware attacks on MetaMask and Trust Wallet users, infiltration attempts on exchanges via fake job applicants, and the creation of shell companies inside the U.S. to target crypto developers.

The Smart Contract Illusion

Many DeFi projects operate under the dangerous assumption that a passed smart contract audit equates to overall security. However, smart contract exploits are no longer the preferred method of attack. It’s easier and more effective to target the people running the system. Many DeFi teams lack dedicated security leads, managing enormous treasuries without formal OPSEC accountability.

Coinbase's May 2025 disclosure of a cybersecurity incident involving a bribed overseas support agent highlights this systemic vulnerability. Binance and Kraken faced similar attacks but successfully fended them off. This wasn't a coding error; it was insider bribery and human failure.

North Korean Hackers Go Phishing

A recent campaign by the North Korean hacking group Famous Chollima illustrates the sophistication of these attacks. Disguising Python-based malware (PylangGhost) as part of a fake job application process, they impersonate top crypto firms like Coinbase, Robinhood, and Uniswap through polished fake career sites. The malware steals login credentials, session cookies, and wallet data from over 80 extensions, including MetaMask and 1Password.

Learning from TradFi

Traditional financial institutions face similar threats but rarely collapse due to cyberattacks. They operate on the assumption that attacks are inevitable and implement layered defenses, access controls, and structured incident response plans. Web3 needs to adopt similar maturity, adapted to the realities of decentralized teams.

This includes enforcing OPSEC playbooks, running red-team simulations, and using multi-signature wallets backed by hardware wallets. Contributor vetting and background checks are essential, even in decentralized teams.

Decentralization Is No Excuse

The difficulty of implementing operational security in decentralized organizations is no excuse for negligence. Nation-state adversaries are already inside the gates, and the global economy is increasingly reliant on on-chain infrastructure. Web3 platforms must employ disciplined cybersecurity practices to avoid becoming a permanent funding source for malicious actors.

Code alone won't defend us; a robust security culture will.

The Last Word

So, Web3, let's get our act together! Time to ditch the