North Korean IT workers have embedded themselves in cryptocurrency companies and DeFi projects for at least seven years, according to security researchers. MetaMask developer and researcher Taylor Monahan said many DPRK IT workers contributed to protocols dating back to DeFi summer, claiming over 40 DeFi platforms—including some well-known names—employed North Korean developers. Monahan noted that résumés listing “seven years of blockchain dev experience” can be genuine.
The Lazarus Group, an umbrella name for North Korea–affiliated cyber actors, is credited with stealing roughly $7 billion in crypto since 2017, according to R3ACH analysts. The group has been linked to major breaches such as the $625 million Ronin Bridge exploit (2022), the $235 million WazirX hack (2024), and the $1.4 billion Bybit heist (2025). Monahan’s remarks came shortly before Drift Protocol said it had “medium-high confidence” a recent $280 million exploit was carried out by a North Korean state–affiliated group.
DeFi executives have reported direct infiltration attempts. Tim Ahhl, founder of Titan Exchange (a Solana DEX aggregator), said a candidate he interviewed for a prior role later appeared in a Lazarus “info dump.” The applicant was highly qualified by video call but declined an in-person meeting; investigators later found the person’s name among Lazarus-linked data.
Drift Protocol’s postmortem on the $280 million attack attributed the breach to North Korea–affiliated actors but said the face-to-face meetings that enabled the exploit involved third-party intermediaries—not North Korean nationals themselves. Those intermediaries presented fully constructed identities with employment histories, public credentials, and professional networks, suggesting Lazarus now uses non-North Korean operatives to conduct in-person confidence schemes.
Blockchain sleuth ZachXBT emphasized that Lazarus refers broadly to DPRK state-sponsored cyber actors and that the threat landscape varies in complexity. He described recruitment- and interview-based attacks—via job postings, LinkedIn, email, video calls, and interviews—as unsophisticated but relentless. ZachXBT argued that teams still falling for such approaches in 2026 are likely negligent.
Crypto firms are advised to screen counterparties and applicants against sanctions lists and known indicators of state-affiliated actor tactics. The U.S. Office of Foreign Assets Control provides searchable sanctions lists that businesses can use to detect flagged individuals and patterns consistent with fraudulent IT recruitment. Cointelegraph reports that independent verification and vigilance remain essential as adversaries adopt layered social-engineering techniques.
