Back to Blog

The Biggest Threat to Crypto This Year Was Hiding in the Code Everyone Trusts

Onuora Amobi·July 1, 2026
crypto security
North Korea
supply chain attack
open source
Web3
The Biggest Threat to Crypto This Year Was Hiding in the Code Everyone Trusts

The most expensive vulnerability in crypto this year was not a smart-contract bug or a weak password. It was trust in a free software package that thousands of companies install without reading a line of it.

North Korea has stolen 76% of all crypto taken by hackers in 2026, according to TRM Labs, with the regime's total haul since 2017 now topping $6 billion. The number that should unsettle builders isn't the percentage. It's the method behind it.

They stopped breaking down the door and started owning the lumber

For years the playbook was direct. Phish an employee, drain a hot wallet, launder through mixers, repeat. Crude, effective, and at least visible after the fact.

The newer approach is patient and structural. In March, CNN reported that North Korean operatives had compromised software used by thousands of US companies, a potential heist staged not against any single firm but against the shared code those firms depend on. The target moved upstream, from the wallet to the supply chain that builds the wallet.

The most striking case was the hijack of one of the web's most widely used open-source projects, an operation TechCrunch described as likely weeks in the making. Compromise one popular package and you inherit the access of every project that imports it. The attacker doesn't need to find your weakness. You install theirs.

Open source was crypto's foundation and now it's the attack surface

This industry was built on shared, public, auditable code, and that openness is the reason any of it works. Anyone can read the contract, fork the protocol, verify the math. It's the closest thing crypto has to a founding principle.

The same openness is what makes the supply chain such a clean target. A modern app pulls in hundreds of dependencies, each pulling in more, almost none of them read in full by the people shipping the product. The trust is implicit and nearly total.

Break one trusted link and the damage compounds quietly, because nobody audits the thing they assumed was already safe.

Treating this as a North Korea problem misses the point

The geopolitics make for a clean villain, and the attribution matters for sanctions and law enforcement. But fixating on the flag obscures the actual lesson.

The vulnerability isn't North Korean. It's the assumption, shared across nearly all of software, that a package downloaded a million times is a package that has been checked. Popularity is not an audit. It's just popularity, and a sufficiently patient attacker can turn it into a delivery mechanism.

Crypto firms are an especially rich target because the payoff is liquid, irreversible, and instantly global. A single compromised dependency in a wallet build can drain users while the developers are still congratulating themselves on the release. TechCrunch tied one such campaign to roughly $290 million in theft.

The defenses exist, but they're inconvenient

There's no exotic fix here, which is exactly why the problem persists. Pin your dependencies. Audit what you import. Reproduce builds so you can prove the code you ship matches the code you reviewed. Treat a sudden maintainer change on a critical package as a threat, not a footnote.

All of it is known. All of it is tedious. And tedium loses to shipping deadlines in almost every organization, until the day it doesn't.

So the honest forecast isn't that the industry hardens its supply chain because the lesson finally landed. It's that the next nine-figure theft traces back to a package nobody thought to read, and we have this conversation again, wondering why the most public code in the world was also the least examined.

Share
Back to Blog