Type of request
What content are you suggesting for?
A new top level framework section (proposed name: "Threat Intelligence" or "APT Threat Profiles") that catalogs state sponsored and advanced threat actor groups conducting offensive hacking campaigns against blockchain protocols, along with a structured taxonomy of their on chain attack techniques inspired by MITRE ATT&CK but adapted to Web3 specific attack surfaces.
This is explicitly not a duplicate or extension of the existing DPRK IT Workers framework. The DPRK IT Workers section covers one specific tactic: fraudulent employment and insider placement (hiring channels, interview red flags, identity verification, post hire detection, access escalation from infiltrated employees). What I'm proposing covers the other side of the threat entirely: the actual protocol level exploitation campaigns carried out by DPRK hacking units (and potentially other APT groups) that operate externally and do not rely on insider access.
To make the distinction concrete:
|
DPRK IT Workers (exists) |
APT Protocol Attacks (proposed) |
| Vector |
Fraudulent employment |
External protocol exploitation |
| Kill chain |
Resume → Interview → Hire → Access escalation → Data leak |
Recon → Infrastructure staging → Signer social engineering → Governance manipulation → Asset drainage → Laundering |
| Targets |
HR/hiring pipeline |
Multisig configurations, oracle systems, governance timelocks, bridge infrastructure |
| Techniques |
Fake identities, deepfakes, laptop farms |
Fake token creation, durable nonce pre signing, zero timelock exploitation, CLOB manipulation, Tornado Cash obfuscation |
| Defenses |
Hiring process hardening, liveness verification |
Timelock enforcement, oracle circuit breakers, multisig signing verification, on chain anomaly monitoring |
| Example incidents |
Numerous undisclosed infiltrations |
Drift ($285M), Bybit ($1.5B), Ronin ($625M), Horizon ($100M), Atomic Wallet ($100M) |
The IT Workers TTPs page itself acknowledges this gap: "We have observed DPRK IT Workers passing access or sensitive information to DPRK Hacking teams." But what those hacking teams actually do, how their campaigns unfold, and how to defend against them at the protocol level is not covered anywhere in the frameworks.
The proposed section would contain three components:
1. Threat Actor Profiles: Structured profiles of groups conducting offensive operations against blockchain infrastructure (attribution context, known aliases like Lazarus/APT38/UNC4736/TraderTraitor/AppleJeus, historical campaigns with targeted protocols, on chain behavioral indicators like wallet clustering, bridging preferences, mixer patterns, laundering velocity). Starting with DPRK/Lazarus since the intelligence base is richest.
2. Web3 Attack Technique Taxonomy: A structured catalog of techniques observed in real protocol attacks, organized by kill chain phase (Reconnaissance, Resource Development, Initial Access, Persistence & Staging, Execution, Exfiltration & Laundering). Each technique references the real incident(s) where it was observed. It's worth noting that MITRE itself has already published AADAPT (Adversarial Actions in Digital Asset Payment Technologies), a 12 tactic, 50+ technique matrix designed as a blockchain specific complement to ATT&CK. AADAPT covers technique categories like Oracle Manipulation, Flash Loan exploits, Chain Reorganization, Cross Chain Swaps, Generate Counterfeit Tokens, and Siphon Funds. The proposed section here would not duplicate AADAPT but would layer threat actor attribution and real campaign mapping on top of it: AADAPT tells you what techniques exist; this section would tell you who uses them, how they chain them together in real operations, and what behavioral indicators to look for on chain. AADAPT's taxonomy could serve as the shared vocabulary for technique identification within the proposed profiles.
3. Defensive Cross References: Each technique links back to existing SEAL frameworks providing relevant defensive guidance (multisig compromise → Multisig for Protocols, oracle manipulation → Monitoring, post drain response → Incident Management, IT worker enabled access handoff → DPRK IT Workers).
Why do you think this update or modification is needed?
The five largest DPRK linked blockchain exploits (Drift $285M, Bybit $1.5B, Ronin $625M, Horizon $100M, Atomic Wallet $100M) were all external offensive operations, not IT worker infiltrations. None of these attack chains map to anything currently covered in the frameworks.
Taking the Drift Protocol attack (April 1, 2026) as an example: per TRM Labs' analysis, attackers withdrew 10 ETH from Tornado Cash three weeks before execution, manufactured a fake token (CarbonVote/CVT) with seeded liquidity and wash trading on Raydium, social engineered multisig signers into pre signing durable nonce transactions with hidden admin authorizations, migrated the Security Council to a 2/5 threshold with zero timelock (eliminating the detection window), then on April 1 deployed the pre signed transactions in sequence to list CVT as valid collateral, raise withdrawal limits, and drain $285M across 31 transactions in 12 minutes. Stolen funds were bridged to Ethereum within hours.
Every technique in that chain (fake token manufacturing, durable nonce staging, multisig signer social engineering, zero timelock exploitation, oracle manipulation) falls completely outside the scope of the DPRK IT Workers section. The intelligence to document these patterns exists but is fragmented across TRM Labs reports, Chainalysis publications, Mandiant/Google TAG advisories, protocol post mortems, and Twitter threads. No structured, community maintained resource synthesizes this into a reusable threat intelligence framework for protocol teams. At least of what I was checking.
SEAL is the natural home for this because the organization already maintains the DPRK IT Workers section (proving it can handle threat actor content), and has the community trust and contributor base to maintain a living document. The existing frameworks tell teams what to do (use timelocks, configure multisigs, monitor on chain), but without understanding how attackers exploit these in practice, teams cannot prioritize or validate their defenses.
Can you justify your argument or provide additional resources?
I will provide additional resources, but I really consider this is the time, after the DRIFT incident, to start mapping actual APT TTP's like MITRE does to contribute to Threat profiling and mapping.
- TRM Labs: North Korean Hackers Attack Drift Protocol in $285 Million Heist (April 2, 2026) — Detailed breakdown of the full Drift attack chain
- TRM Labs: Bybit Hack Update — North Korea Moves to Next Stage of Laundering (March 4, 2025) — On chain laundering patterns post exploit
- TRM Labs: Beyond IT Worker Fraud — OFAC's Latest DPRK Designations (March 13, 2026) — Broader DPRK threat landscape beyond IT workers
- MITRE ATT&CK Framework — Structural model for adversary TTP cataloging
- MITRE AADAPT (Adversarial Actions in Digital Asset Payment Technologies) — MITRE's blockchain specific threat framework (12 tactics, 50+ techniques), designed as a complement to ATT&CK for digital asset systems. Covers technique categories like Oracle Manipulation, Flash Loans, Chain Reorganization, Generate Counterfeit Tokens, and Cross Chain Swaps. Built from 150+ real world incidents. The proposed SEAL section would use AADAPT's taxonomy as shared vocabulary while adding threat actor attribution and campaign mapping that AADAPT does not provide
- MITRE AADAPT Overview (PDF) — Technical overview with the full matrix
- Mandiant / Google TAG: APT38, UNC4736, TraderTraitor campaign reporting — Attribution and campaign analysis for DPRK hacking units
- Chainalysis Crypto Crime Reports (2024/2025) — DPRK sections — On chain fund flow analysis and laundering pattern documentation
- Rekt.news — Incident post mortems (unstructured, no TTP taxonomy)
- DeFi Rekt Database — Incident tracking (no threat actor profiling)
- SEAL DPRK IT Workers Framework — The existing section covering employment infiltration (the complementary piece to what's proposed)
- SEAL OpenCTI instance — Existing threat intelligence infrastructure in the SEAL GitHub org
Since this is a considerable effort I believe this can be also something that can be discussed inside the community,
Thank you!,
Contribution intent
Type of request
What content are you suggesting for?
A new top level framework section (proposed name: "Threat Intelligence" or "APT Threat Profiles") that catalogs state sponsored and advanced threat actor groups conducting offensive hacking campaigns against blockchain protocols, along with a structured taxonomy of their on chain attack techniques inspired by MITRE ATT&CK but adapted to Web3 specific attack surfaces.
This is explicitly not a duplicate or extension of the existing DPRK IT Workers framework. The DPRK IT Workers section covers one specific tactic: fraudulent employment and insider placement (hiring channels, interview red flags, identity verification, post hire detection, access escalation from infiltrated employees). What I'm proposing covers the other side of the threat entirely: the actual protocol level exploitation campaigns carried out by DPRK hacking units (and potentially other APT groups) that operate externally and do not rely on insider access.
To make the distinction concrete:
The IT Workers TTPs page itself acknowledges this gap: "We have observed DPRK IT Workers passing access or sensitive information to DPRK Hacking teams." But what those hacking teams actually do, how their campaigns unfold, and how to defend against them at the protocol level is not covered anywhere in the frameworks.
The proposed section would contain three components:
1. Threat Actor Profiles: Structured profiles of groups conducting offensive operations against blockchain infrastructure (attribution context, known aliases like Lazarus/APT38/UNC4736/TraderTraitor/AppleJeus, historical campaigns with targeted protocols, on chain behavioral indicators like wallet clustering, bridging preferences, mixer patterns, laundering velocity). Starting with DPRK/Lazarus since the intelligence base is richest.
2. Web3 Attack Technique Taxonomy: A structured catalog of techniques observed in real protocol attacks, organized by kill chain phase (Reconnaissance, Resource Development, Initial Access, Persistence & Staging, Execution, Exfiltration & Laundering). Each technique references the real incident(s) where it was observed. It's worth noting that MITRE itself has already published AADAPT (Adversarial Actions in Digital Asset Payment Technologies), a 12 tactic, 50+ technique matrix designed as a blockchain specific complement to ATT&CK. AADAPT covers technique categories like Oracle Manipulation, Flash Loan exploits, Chain Reorganization, Cross Chain Swaps, Generate Counterfeit Tokens, and Siphon Funds. The proposed section here would not duplicate AADAPT but would layer threat actor attribution and real campaign mapping on top of it: AADAPT tells you what techniques exist; this section would tell you who uses them, how they chain them together in real operations, and what behavioral indicators to look for on chain. AADAPT's taxonomy could serve as the shared vocabulary for technique identification within the proposed profiles.
3. Defensive Cross References: Each technique links back to existing SEAL frameworks providing relevant defensive guidance (multisig compromise → Multisig for Protocols, oracle manipulation → Monitoring, post drain response → Incident Management, IT worker enabled access handoff → DPRK IT Workers).
Why do you think this update or modification is needed?
The five largest DPRK linked blockchain exploits (Drift $285M, Bybit $1.5B, Ronin $625M, Horizon $100M, Atomic Wallet $100M) were all external offensive operations, not IT worker infiltrations. None of these attack chains map to anything currently covered in the frameworks.
Taking the Drift Protocol attack (April 1, 2026) as an example: per TRM Labs' analysis, attackers withdrew 10 ETH from Tornado Cash three weeks before execution, manufactured a fake token (CarbonVote/CVT) with seeded liquidity and wash trading on Raydium, social engineered multisig signers into pre signing durable nonce transactions with hidden admin authorizations, migrated the Security Council to a 2/5 threshold with zero timelock (eliminating the detection window), then on April 1 deployed the pre signed transactions in sequence to list CVT as valid collateral, raise withdrawal limits, and drain $285M across 31 transactions in 12 minutes. Stolen funds were bridged to Ethereum within hours.
Every technique in that chain (fake token manufacturing, durable nonce staging, multisig signer social engineering, zero timelock exploitation, oracle manipulation) falls completely outside the scope of the DPRK IT Workers section. The intelligence to document these patterns exists but is fragmented across TRM Labs reports, Chainalysis publications, Mandiant/Google TAG advisories, protocol post mortems, and Twitter threads. No structured, community maintained resource synthesizes this into a reusable threat intelligence framework for protocol teams. At least of what I was checking.
SEAL is the natural home for this because the organization already maintains the DPRK IT Workers section (proving it can handle threat actor content), and has the community trust and contributor base to maintain a living document. The existing frameworks tell teams what to do (use timelocks, configure multisigs, monitor on chain), but without understanding how attackers exploit these in practice, teams cannot prioritize or validate their defenses.
Can you justify your argument or provide additional resources?
I will provide additional resources, but I really consider this is the time, after the DRIFT incident, to start mapping actual APT TTP's like MITRE does to contribute to Threat profiling and mapping.
Since this is a considerable effort I believe this can be also something that can be discussed inside the community,
Thank you!,
Contribution intent