Code to Custody (Human Layer Exploitation)

'Code to Custody' describes the end-to-end attack chain developed and perfected by North Korea's BlueNoroff and Lazarus Group units for stealing cryptocurrency by exploiting the human layer of an exchange's security rather than its smart contracts or cryptographic infrastructure. The chain begins on professional networks (LinkedIn, Telegram) where attackers impersonate venture capitalists, IT recruiters, or known investors and approach developers or DevOps engineers at target crypto firms with attractive job offers or investment enquiries. During a simulated 'interview,' the target is asked to download and run a coding test or repository — which silently installs custom malware on the workstation. The malware harvests SSH keys, cloud access tokens, and CI/CD pipeline credentials, allowing the attacker to move laterally from the developer's machine into the exchange's software deployment infrastructure. From there, the attackers identify and compromise the signing process for hot wallet transactions, ultimately authorising massive withdrawals that appear as legitimate internal operations. This chain successfully facilitated the $1.5 billion Bybit exchange heist in early 2025 — the largest cryptocurrency theft in history — and is considered the dominant threat model for tier-1 exchange security in 2026. Example: A Bybit developer received a LinkedIn message from a profile posing as a partner at a well-known VC firm, was invited to review a 'portfolio company's GitHub repository,' and executed the malware during what appeared to be a standard due-diligence review — initiating the chain that ultimately resulted in the theft of $1.5 billion in ETH and staked ETH from Bybit's Safe multisig infrastructure. Why it matters for compliance: Code to Custody demonstrates that the most catastrophic crypto thefts in 2025–2026 require zero smart-contract vulnerability — they exploit credential trust in developer workflows. Exchanges must implement hardware security keys for all signing operations, mandatory out-of-band verification for any external code execution, and strict segregation between developer workstations and hot wallet signing infrastructure.

Category: compliance, wallets security, regulatory frameworks

Explore the full Web3 Glossary — 2,062+ expert-curated definitions. Need guidance? Talk to our consultants.