An analysis said North Korea repeatedly targets cryptocurrency not to secure payment networks to evade sanctions, but to directly raise funds for weapons development.

On April 12, blockchain outlet CoinDesk cited security experts as saying North Korea's cryptocurrency hacking is structurally different from other state-backed hacking. The industry is also becoming more alert after a six-month infiltration operation targeting Drift became known.

The key difference is how it uses cryptocurrency. While Russia and Iran use cryptocurrency as a means of moving funds to evade sanctions, North Korea makes the cryptocurrency ecosystem itself a target, the report said. Dave Schwed (데이브 슈웨드), chief operating officer of SVRN, pointed to strong pressure on North Korea to secure funding for its weapons programme under a heavy sanctions environment. He said international organisations and intelligence agencies see cryptocurrency theft as a major funding source for North Korea's nuclear and missile development.

That is why North Korea adopts a strategy of accepting large-scale thefts that can be traced on public blockchains. Schwed said Russia still has oil, gas and raw material exports and trading counterparts, and Iran can also use sanctioned crude oil and financial networks within the Middle East, but North Korea has almost nothing left to sell. He said virtually all of North Korea's exports are subject to sanctions, and with no functioning economy it needs direct profits rather than payment networks. He added that stealing cryptocurrency allows it to secure liquidity immediately from around the world without counterparties.

The targets are also clear. Alexander Urbelis (알렉산더 어벨리스), chief information security officer at ENS Labs, cited exchanges, wallet services and DeFi protocols, as well as key individuals with signing authority or infrastructure access, as major targets. That means individuals or systems with access to funds are at the centre of the attacks.

The methods also differ from ordinary cybercrime. North Korea is seen as using long-term infiltration strategies at an intelligence-agency level, beyond simple phishing. The approach combines relationship-building over months, the use of fake identities and supply-chain infiltration. In the Drift case, it was reported that the attackers built trust with a specific individual over a long period before moving in.

The structure of cryptocurrency itself was also cited as a condition that favours North Korea. In traditional finance, safeguards such as payment delays, regulatory verification and transfer cancellations can still work after a hack, but cryptocurrency is difficult to reverse once a transaction is approved. Urbelis cited an early last-year attack on Bybit in which $1.5 billion moved in about 30 minutes, underscoring that structural difference.

These characteristics also affect defence strategies. Traditional finance such as banks has room to respond after an incident, but for cryptocurrency, pre-emptive blocking is close to the only effective response. Yet many projects prioritise rapid development and launches and lack sufficient security controls and audit systems, which has been flagged as a vulnerability.

Experts agree that identifying sophisticated fake identities and internal access privileges is currently the industry's most difficult security challenge. Awareness has risen since the Drift case, but the security burden is expected to persist for some time because North Korea views cryptocurrency as a target that can be directly cashed out, not as payment infrastructure.