"The developer I collaborated with, turned out to be a North Korean hacker?"...Ethereum, trust model completely collapsed

▲ North Korean Hacker

A North Korean hacking organization, disguised as a contributor to the Ethereum ecosystem, seized core authority and plundered massive funds in a short period, shocking the entire industry. The impact is growing as 'trust,' which was central to the decentralized structure, itself was exploited as an attack vector.

Coin Bureau host Louis Raskin revealed in a video released on April 28 (local time) that North Korea's Lazarus Group stole $577 million over approximately 18 days in early April 2026. This amount exceeds a quarter of the total funds estimated to have been stolen by North Korea throughout 2025. Investigations by the Ethereum Foundation's Ketman project confirmed that about 100 North Korean IT personnel infiltrated 53 Web3 companies disguised as legitimate contributors.

They passed recruitment procedures with fake identities, worked on collaboration channels like Slack, and even performed actual coding tasks, building internal trust. According to virtual asset investigator ZachXBT's investigation, approximately 390 related accounts are receiving monthly salaries of about $1 million, disguised as developers. They concealed their identities by using identical resume templates and GitHub accounts and adjusting their activity times. Subsequently, attacks were executed by securing core authority and then siphoning off funds.

On April 1, approximately $285 million was leaked from the Solana (SOL)-based Drift Protocol. The attacker acted like a legitimate trading company employee for several months, depositing funds to gain trust, then deceived the security committee into providing an authorization signature, and stole the funds in just 12 minutes. Seventeen days later, targeting Kelp DAO, they replaced node software with malicious code and siphoned an additional $292 million.

The stolen funds were laundered through Tornado Cash or converted into untraceable forms via lending protocols like Aave and Compound. It is understood that they were then dispersed into Bitcoin using Circle's Cross-Chain Transfer Protocol (CCTP) and ultimately cashed out. A UN panel of experts analyzed that North Korea's virtual asset theft funds account for up to 45% of its ballistic missile development budget.

This incident is significant because it shattered the human trust system, not a technical vulnerability. The open structure, accessible to anyone, was instead used as an infiltration route, shaking the foundation of the decentralized model. While discussions are underway to strengthen real-name verification and centralize authority to counter this, these measures present challenges that conflict with the ecosystem's philosophy based on anonymity. The Arbitrum Security Council responded by urgently freezing assets worth approximately $71 million. The industry has entered a phase where it must redesign not only technology but also participant verification systems.

*Disclaimer: This article is for investment reference only, and we are not responsible for any investment losses based on it. The content should be interpreted for informational purposes only.*