North Korean IT workers have been embedding themselves in crypto companies and decentralized finance projects for at least seven years, according to a cybersecurity analyst.
“Lots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer,” said MetaMask developer and security researcher Taylor Monahan on Sunday.
Monahan claimed that over 40 DeFi platforms, some being well-known names, have had North Korean IT workers working on their protocols.
The “seven years of blockchain dev experience” on their resume is “not a lie,” she added.
The Lazarus Group is a North Korean-affiliated hacking collective that has stolen an estimated $7 billion in crypto since 2017, according to analysts at creator network R3ACH.
It has been linked to the industry’s highest-profile hacks, including the $625 million Ronin Bridge exploit in 2022, the $235 million WazirX hack in 2024 and the $1.4 billion Bybit heist in 2025.
Monahan’s comments came just hours after the Drift Protocol said it had “medium-high confidence” that the recent $280 million exploit against it was carried out by a North Korean state-affiliated group.
DeFi execs speak up on DPRK infiltration attempts
Tim Ahhl, founder of the Titan Exchange, a Solana-based DEX aggregator, said that in a previous job, “we interviewed someone who turned out to be a Lazarus operative.”
Ahhl said the candidate “did video calls and was extremely qualified.” He declined an in-person interview and they later discovered his name in a Lazarus “info dump.”
The US Office of Foreign Assets Control has a website where crypto businesses can screen counterparties against updated OFAC sanctions lists and be alert to patterns consistent with IT worker fraud.
Lazarus Group attack timeline. Source: R3ACH Network
Related: Drift Protocol says $280M exploit took ‘months of deliberate preparation’
Drift Protocol targeted by DPRK third-party intermediaries
Drift Protocol’s postmortem on last week’s $280 million exploit also pointed to North Korean-affiliated hackers for the attack.
However, it said the face-to-face meetings that eventually led to the exploit were not with North Korean nationals, but rather “third-party intermediaries” with “fully constructed identities including employment histories, public-facing credentials, and professional networks.”
“Years later, and it seems Lazarus now has non-NKs [North Koreans] working for them to con people in person,” said Ahhl.
Threats via job interviews are not sophisticated
Lazarus Group is the collective name for “all DPRK state-sponsored cyber actors,” explained blockchain sleuth ZachXBT on Sunday.
“The main issue is that everyone groups them all together when the complexity of threats is different,” he added.
ZachXBT said that threats via job postings, LinkedIn, email, Zoom, or interviews are “basic and in no way sophisticated … the only thing about it is they’re relentless.”
“If you or your team still falls for them in 2026, you’re very likely negligent,” he said.
There are two types of attack vectors, one more sophisticated than the other. Source: ZachXBT
Magazine: No more 85% Bitcoin collapses, Taiwan needs BTC war reserve: Hodler’s Digest