TL;DR: North Korean hackers stole $577 million from DeFi protocols in early 2026, with Drift Protocol and KelpDAO among the principal targets, and the attacks accounted for 76% of global crypto hack losses in that period, according to FYEO. The pattern shows that smart contract logic, supply chain exposure, and compromised identities now combine into a governance problem, not just a code problem.
At a glance
What this is: North Korean cyber operations drained $577 million from DeFi protocols in early 2026, with Drift Protocol and KelpDAO among the major targets and crypto losses heavily concentrated in those incidents.
Why it matters: For IAM, PAM, and broader identity teams, the article shows how access control, identity vetting, and credential governance now intersect with smart contract risk, supply chain compromise, and financial crime.
By the numbers:
- North Korean state-sponsored groups stole $577 million in early 2026, primarily from DeFi protocols.
- These attacks represent 76% of all crypto hack losses during the period.
👉 Read FYEO's analysis of North Korean DeFi theft and Web3 security gaps
Context
DeFi security fails when code, identity, and operational trust are treated as separate problems. In this case, the article points to a large-scale loss event where smart contract weaknesses, third-party compromise, and social engineering all appear in the same attack surface. The primary keyword here is DeFi security, but the identity angle is just as important because fake personnel, stolen credentials, and access control failures can move funds as effectively as a code exploit.
For identity practitioners, the lesson is that Web3 environments still depend on classic governance controls even when the business model is decentralised. Role-based access, multi-factor authentication, employee screening, and access lifecycle discipline all matter when attackers target people, development paths, and transaction authority. That is typical of modern crypto incidents rather than an edge case.
Key questions
Q: What fails when DeFi protocols allow broad standing access to assets and contract controls?
A: When DeFi environments allow broad standing access, one compromised identity, key, or approval path can move funds directly. That collapses the separation between ordinary developer access and transaction authority. The practical failure is not only theft, but also the inability to contain impact once malicious instructions are encoded on chain.
Q: Why do phishing and fake identities remain so effective against crypto companies?
A: Crypto organisations often rely on people who can approve releases, manage keys, or sign transactions, so impersonation can translate directly into financial control. Fake identities work because they exploit trust in onboarding, contractor workflows, and internal communication channels before technical safeguards have a chance to intervene.
Q: How do security teams know whether access controls are strong enough for DeFi operations?
A: Look for clear separation between development, approval, signing, and asset movement rights. If the same account or small group can build code, deploy it, and authorise transactions, the control model is too concentrated. Stronger designs create traceable ownership, narrow scope, and explicit re-approval for high-risk actions.
Q: Who is accountable when a DeFi theft is driven by compromised identities and supply chain risk?
A: Accountability sits across protocol governance, engineering leadership, security operations, and any third parties that control signing or deployment paths. For regulated environments, the question is whether ownership, review, and escalation were defined before the incident. Frameworks such as NIST CSF and IAM governance models help assign that responsibility.
Technical breakdown
Smart contract access control failures
DeFi protocols encode asset handling rules into smart contracts, which makes access control flaws especially dangerous. A reentrancy bug, a broken authorization check, or a malformed privilege boundary can let an attacker manipulate transfers without needing to compromise a traditional server account. In practice, the issue is not only code correctness but trust in the contract’s execution model. Once the contract authorises the wrong action, on-chain finality can make reversal difficult or impossible.
Practical implication: treat contract authorization paths as production identity controls and test them like privileged access workflows.
Supply chain compromise in crypto development
Supply chain attacks in Web3 often target build systems, dependencies, and developer tooling rather than the protocol itself. If a malicious package, compromised repository, or infiltrated development environment injects code upstream, the resulting payload can alter wallet logic, approvals, or transaction routing before deployment. This blends software supply chain risk with identity governance because attackers frequently need trusted developer access, signing rights, or release authority to make the change persistent.
Practical implication: secure release signing, dependency provenance, and developer privilege boundaries together, not as separate controls.
Phishing, fake identities, and key theft
Crypto and DeFi operators face a persistent social engineering problem because whoever controls keys, approvals, and admin channels can often move value directly. North Korean operators have repeatedly used fake identities and phishing to gain trust, reach internal systems, and steal credentials or private keys. That is an identity problem as much as a fraud problem, because the attacker’s goal is to impersonate a legitimate person or contractor long enough to obtain access authority.
Practical implication: validate worker identity, harden approval workflows, and segregate high-value signing roles from routine access.
Threat narrative
Attacker objective: The objective is rapid theft and laundering of high-value crypto assets while the protocol’s governance and recovery processes are still reacting.
- Entry begins with phishing, fake employment personas, or supply chain compromise that places attackers inside the trust boundary of a DeFi project or its tooling.
- Escalation follows when compromised credentials, private keys, or malicious code paths give the attacker authority over contract actions, approvals, or fund movement.
- Impact occurs when the attacker drains assets across protocols and launders proceeds through exchanges before recovery or freezing can happen.
Breaches seen in the wild
- Mastra npm Supply Chain Attack — Sapphire Sleet — North Korean Sapphire Sleet backdoors 144 AI npm packages in 88 minutes via supply chain attack on Mastra ecosystem.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
DeFi has an identity problem, not just a code problem. The article shows attackers combining smart contract abuse, social engineering, and supply chain compromise in the same campaign. That means protocol security, IAM, and personnel trust controls all contribute to the loss boundary. For practitioners, the core lesson is that transaction authority must be governed with the same seriousness as administrative access.
Fake identities are now a production security control issue in crypto. The rise of hostile IT-worker infiltration and phishing makes personnel vetting part of the security architecture, not an HR side topic. In identity terms, the risk is that a legitimate-looking worker can acquire signing rights, release authority, or privileged access without ever triggering a technical anomaly. Practitioners should treat onboarding, verification, and privileged assignment as one chain.
Access control failures in DeFi map to a broader standing-privilege problem. When a protocol or development environment permits broad, persistent authority over assets or deployment paths, attackers need only one foothold to move funds. That resembles the same governance weakness seen in traditional IAM and PAM failures: too much standing trust in too few accounts. Practitioners should assume that over-privilege will be exploited in high-value crypto environments.
Supply chain exposure is becoming the hidden accelerator of Web3 losses. The article’s reference to compromised dependencies and development environments shows how attackers can alter trust before a protocol ever reaches production. This is why NHI governance matters here as well, because signing keys, developer tokens, and release credentials effectively become non-human identities that control the integrity of the system. Practitioners should map these credentials into the same control model as other privileged identities.
Named concept: trust-boundary collapse. In this threat pattern, attackers do not need to break every layer of the system. They only need one trusted persona, key, or dependency to collapse the boundary between legitimate operation and malicious action. For practitioners, the response is to separate identity proof, privileged approval, and transaction execution so one compromise does not become system-wide loss.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% partial visibility.
- That visibility gap and confidence gap point to a wider governance problem, which we examine in Ultimate Guide to NHIs , Key Challenges and Risks.
What this signals
Trust-boundary collapse is the operational risk crypto teams should now track. When fake identities, developer privileges, and contract authority converge, the organisation loses the ability to distinguish legitimate execution from attacker-controlled activity. Reference control models in MITRE ATT&CK Enterprise Matrix and baseline privileged access boundaries against NIST SP 800-53 Rev 5 Security and Privacy Controls.
The programme implication is straightforward: identity governance must extend into release pipelines, signing systems, and contractor verification. A control set that only covers human logins will miss the credentials that actually move value in Web3. For a broader identity frame, align these controls with the patterns discussed in 52 NHI Breaches Analysis.
If attackers can move from initial access to fund theft through a small number of trusted accounts, your privilege model is already too flat. That is the moment to review who can approve, sign, deploy, and recover, then separate those powers before the next incident forces the redesign.
For practitioners
- Harden protocol authorization paths Review smart contract permissions, admin functions, and upgrade paths for any logic that lets one role move assets, change rules, or override safeguards. Use independent audit coverage for the exact approval and transfer flows that control funds.
- Treat developer access as privileged access Map repository, CI/CD, signing, and deployment credentials as high-risk identities with explicit owners, expiration, and approval rules. Segregate release authority from routine engineering access so a single compromised account cannot ship malicious code.
- Strengthen identity proof for workers and contractors Apply enhanced vetting, continuous re-verification, and anomaly checks for staff who can touch wallets, secrets, or production contracts. Reassess any role that can approve transactions, sign releases, or modify key management settings.
- Instrument laundering-aware incident response Prepare playbooks for rapid containment, exchange notifications, and asset tracing when a theft is detected. The goal is to interrupt movement before stolen funds are dispersed through multiple wallets and venues.
Key takeaways
- The article shows that DeFi losses are now driven by a mix of contract flaws, supply chain exposure, and identity compromise.
- The reported $577 million stolen in early 2026, representing 76% of crypto hack losses in that period, shows how concentrated and high-impact these campaigns can be.
- The most relevant control gap is standing trust across people, keys, and release paths, which requires tighter identity governance around approvals, signing, and privileged access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The article centres on credential theft, movement through trusted systems, and fund exfiltration. |
| NIST CSF 2.0 | PR.AC-4 | Access control and permission scope are central to protocol and developer governance. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is directly relevant to the standing access and approval paths discussed. |
| CIS Controls v8 | CIS-5 , Account Management | Account governance and privileged role control are central to the article's attack patterns. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance applies to the personnel and systems involved in fund movement. |
Map DeFi and developer trust paths to credential access, lateral movement, and impact tactics.
Key terms
- DeFi: Decentralized finance is a set of blockchain-based financial applications that replace intermediaries with smart contracts and automated rules. In security terms, it concentrates value into code, keys, and governance processes, which makes trust assumptions and access control failures directly monetisable by attackers.
- Smart Contract Access Control: Smart contract access control is the logic that determines which addresses or roles can call sensitive functions, move assets, or change protocol state. Weaknesses here often become irreversible because the contract itself enforces the decision on chain, leaving little room for human intervention once abused.
- Software Supply Chain Compromise: A software supply chain compromise is an attack that inserts malicious code into trusted build, package, or deployment paths. The goal is often not immediate application failure, but secret theft, persistence, or unauthorized changes that travel downstream through automated systems.
- Standing Privilege: Standing privilege is access that remains active even when no immediate task requires it. For NHI programmes, it is a common failure mode because long-lived credentials and persistent roles create unnecessary exposure. Reducing standing privilege usually means tighter expiry, on-demand access, and clearer review of who or what still needs access.
What's in the full analysis
FYEO's full article covers the operational detail this post intentionally leaves for the source:
- Protocol-level discussion of how Drift Protocol and KelpDAO were impacted, including the attack conditions that enabled the losses.
- References to related incidents such as the Axios npm package compromise, which help map the supply chain angle more concretely.
- Practical hardening measures for smart contract audits, monitoring, and incident response in Web3 environments.
- The article's discussion of North Korean IT-worker infiltration and why identity verification matters in crypto hiring and access governance.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It helps security practitioners translate identity risk into operating controls across their programmes.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org