During a previous job, some people I had worked alongside looked closely into the DPRK's attacks on cryptocurrency services, we had a daily threat intelligence report and dedicated team on threat intelligence as this was in the finance sector.

The DPRK's attacks on cryptocurrency providers in fact weren't very sophisticated, many nation state 'threat actors' with the APT designations or funny names are often unprofessional or aren't substantially unique beyond what their motives are, their toolkit and where they come from. There are some exceptions like the FVEY, or elite branches in Russia/China's government security agencies. However, those groups often conduct attacks to target an individual or make a serious attack to people comparable to their level (like with the SolarWinds / U.S. Government breach or the USA making malicious, persistent hard drive firmware for single targets).

Many threat actors in hostile nations are just younger people committing crime for fun or financial gain and being able to do it consistently and persistently because the nation they are from does not hold them accountable or punish them for doing it. You can compare Russian ransomware groups or Iranian politically motivated hacktivism to the teenagers in the USA who hack a company and post the database on warez forums, with the difference being the westerners actually go to jail. North Korea is a bit different considering their political climate (extremely communist, everyone is in the military) but their capabilities are around the same and lack anything unique because they are stupidly poor country. The North Korean's most damaging attack involved using a leaked American exploit rather than anything original.

North Korea commits cryptocurrency theft by just attacking cryptocurrency exchange platforms and custodians, because the security in most of them suck, and badly. Intelligence reported that it was phishing, and so did other forensics firms publicly. If you look at the targets that North Korea attacked and stole funds from, you'll essentially see that they are all random shitcoin companies most 'crypto' people have probably not heard of, done with no announcement of a zero-day exploit or sophisticated attack:

North Korea attacks cryptocurrency companies not just because they can use the funds they steal to fund illicit activities. The security that these 'crypto' or 'blockchain' companies have are horrendous to the point that they are low-hanging fruit for the North Koreans to actually take advantage of. FTX was one of the largest exchanges when it was active, and had no dedicated cybersecurity team. In fact, many still don't do have it to this day.

Anyways, to answer this:

Users, engineers, researchers, academics and hackers. Companies do little to nothing when it comes to security innovation and it's all down to the people they hire. Companies serve to promote, publicize and make money off of having better security to their competitors only in my opinion. This doesn't mean to say all the big companies have flawed security though, they don't, since they always get to hire the best people.

Projects like Tor, Whonix, Brave, Samourai, GrapheneOS, or even hardware (e.g. Trezor) and commercial software (e.g. Windows) rely heavily on independent research for the progress of their product. If it is not for the groups of people I mentioned putting them to the test or through scrutiny then they wouldn't be leading anything.

You'll find websites that publish security/privacy advice all the time, but if you can't really trust them to keep them up to date, your best bet is to look at what the developers of big security/privacy projects say. A lot of these people are open to talking about the downsides, shortcomings and what needs to be improved on with their work, because they need that criticism to be public to have someone notice it and make a difference.