"The developer I collaborated with, turned out to be a North Korean hacker?"...Ethereum, trust model completely collapsed

▲ North Korean hacker

A North Korean hacking group, disguised as contributors to the Ethereum ecosystem, seized core authorities and stole a massive amount of funds in a short period, shocking the entire industry. The impact is growing as 'trust,' a key element of decentralized structures, was itself exploited as an attack vector.

Coin Bureau host Louis Raskin revealed in a video released on April 28 (local time) that North Korea's Lazarus Group stole approximately $577 million over about 18 days in early April 2026. This amount exceeds a quarter of the total funds estimated to have been stolen by North Korea throughout 2025. Investigations by the Ethereum Foundation's Ketman project confirmed that about 100 North Korean IT personnel infiltrated 53 Web3 companies disguised as legitimate contributors.

They passed recruitment procedures with fake identities, worked in collaboration channels like Slack, and even performed actual code work, building internal trust. According to investigations by virtual asset investigator ZachXBT, approximately 390 related accounts were found to be receiving monthly salaries of $1 million, disguised as developers. They hid their identities by using identical resume formats and GitHub accounts and adjusting their activity times. Subsequently, attacks were executed by securing core authorities and then siphoning off funds.

On April 1, approximately $285 million was leaked from the Solana (SOL)-based Drift Protocol. The attacker acted like an employee of a legitimate trading company for several months, depositing funds to gain trust, then deceived the security committee to obtain authority approval signatures, and stole the funds in just 12 minutes. Seventeen days later, targeting Kelp DAO, they replaced the node software with malicious code and siphoned off an additional approximately $292 million.

The stolen funds were laundered through Tornado Cash or converted into hard-to-trace forms via lending protocols like Aave and Compound. It is understood that they were then dispersed into Bitcoin using Circle's Cross-Chain Transfer Protocol (CCTP) and ultimately cashed out. A UN panel of experts analyzed that North Korea's virtual asset theft funds account for up to 45% of its ballistic missile development budget.

This incident is significant because it undermined the human-to-human trust system rather than a technical vulnerability. The open structure, which anyone can participate in, was instead used as an infiltration route, shaking the foundation of the decentralized model. While discussions are underway to strengthen real-name verification and centralize authority to counter this, these measures present challenges that conflict with the ecosystem's philosophy based on anonymity. The Arbitrum Security Council responded by urgently freezing approximately $71 million in assets. The industry has entered a phase where it must redesign not only technology but also participant verification systems.

*Disclaimer: This article is for investment reference only, and we are not responsible for investment losses based on it. The content should be interpreted for informational purposes only.*