North Korean-linked operators have spent years quietly integrating into crypto firms and DeFi teams, raising fresh concerns about insider risk after a string of high-value exploits tied to the country’s cyber apparatus.
Summary
- North Korean-linked developers have worked inside more than 40 DeFi projects over the past seven years, according to a security researcher.
- Investigators and industry participants warn that many infiltration attempts rely on simple but persistent tactics through hiring channels and social engineering.
Security researcher and MetaMask developer Taylor Monahan said these tactics stretch back to the early days of decentralized finance, with individuals tied to the Democratic People’s Republic of Korea contributing to several widely used protocols.
“Lots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer,” she said on Sunday, adding that more than 40 platforms, including several well-known projects, have at some point relied on such developers.
However, she noted that the “seven years of blockchain dev experience” listed on their resumes is “not a lie.”
Investigators have long tied North Korea’s cyber operations to the Lazarus Group, a state-backed collective believed to have stolen around $7 billion in digital assets since 2017, according to R3ACH analysts.
The group has been associated with some of the industry’s largest breaches, including the $625 million Ronin Bridge exploit in 2022, the $235 million WazirX hack in 2024, and the $1.4 billion Bybit incident in 2025.
Last week’s $280 million exploit of Drift Protocol has drawn renewed scrutiny. The project said it had “medium-high confidence” that a North Korean state-affiliated group was behind the attack, linking the incident to a wider pattern of infiltration and social engineering.
However, the face-to-face meetings that led up to the breach were not with North Korean nationals, but rather “third party intermediaries” using “fully constructed identities including employment histories, public facing credentials, and professional networks.”
These profiles included employment histories, public credentials, and active professional networks, allowing them to build trust through in-person interactions before the exploit unfolded.
Independent blockchain investigator ZachXBT has warned in a recent X post that not all threats tied to North Korea operate at the same level of sophistication.
“The main issue is that everyone groups them all together when the complexity of threats is different,” he said.
He described many infiltration attempts as relatively simple, relying on persistence rather than technical complexity. Outreach through job postings, LinkedIn, email, Zoom calls, and interview processes remains common.
“Basic and in no way sophisticated […] the only thing about it is they’re relentless,” he said, adding that teams continuing to fall for such tactics in 2026 risk being seen as negligent.
