$1M deposited as cover for a $285M extraction — that's a 285x return on a social engineering budget, and it didn't require a single smart contract vulnerability. The kill chain here went through VSCode/Cursor with zero-click arbitrary code execution just from opening a repo file, which means every multisig signer's dev environment is the actual attack surface now, not the protocol code. Combine that with Taylor Monahan's disclosure that DPRK operatives have been embedded in 40+ DeFi teams since 2020, and the uncomfortable math is that Lazarus-linked groups have likely had commit access to protocols managing billions in TVL for years. Fund flow overlaps connecting this to the Radiant Capital hack confirm it's one continuous operation with a $7B+ lifetime PnL — at this point DPRK is running the most profitable "trading firm" in crypto, they just skip the part where they ask for withdrawals.

Top comment by @Benthic