Security researchers say North Korean IT personnel have embedded themselves inside cryptocurrency firms and DeFi projects for at least seven years. MetaMask developer and researcher Taylor Monahan reported that many DPRK IT workers contributed to protocols dating back to DeFi summer, and that résumés claiming “seven years of blockchain dev experience” can be genuine. Monahan asserted more than 40 DeFi platforms—including recognizable names—have employed developers linked to the DPRK.
Analysts at R3ACH estimate North Korea–affiliated cyber actors, commonly grouped under the Lazarus label, have stolen about $7 billion in crypto since 2017. High-profile incidents tied to that umbrella include the $625 million Ronin Bridge exploit (2022), the $235 million WazirX breach (2024), and the $1.4 billion Bybit heist (2025). Monahan’s comments preceded Drift Protocol’s statement that it had “medium-high confidence” a recent $280 million exploit was carried out by North Korean state–affiliated actors.
DeFi executives describe direct infiltration attempts. Tim Ahhl, founder of Titan Exchange (a Solana DEX aggregator), said a candidate who interviewed well on video later appeared in a Lazarus “info dump.” The applicant declined an in-person meeting; investigators later found the person’s name among Lazarus-linked records. Drift’s postmortem on its $280 million attack concluded that while the breach is attributable to North Korea–affiliated actors, the face-to-face meetings that enabled the exploit involved third-party intermediaries rather than North Korean nationals. Those intermediaries presented fully fabricated identities, complete with employment histories, public credentials, and professional networks—indicating Lazarus increasingly relies on non‑DPRK operatives to carry out in-person confidence schemes.
Blockchain investigator ZachXBT emphasized that “Lazarus” is an umbrella term for DPRK state-sponsored cyber activity and that the threat landscape varies in sophistication. He characterized recruitment- and interview-based attacks—via job postings, LinkedIn, email, video calls, and interviews—as unsophisticated but relentless, adding that teams still falling for such approaches in 2026 are likely negligent.
Security recommendations for crypto firms include rigorous screening of counterparties and applicants against sanctions lists and known indicators of state‑affiliated tactics, independent verification of identities and work histories, and heightened vigilance around recruitment channels. The U.S. Office of Foreign Assets Control (OFAC) maintains searchable sanctions lists that businesses can use to detect flagged individuals and patterns consistent with fraudulent IT recruitment. Independent verification and continued vigilance remain essential as adversaries adopt layered social‑engineering techniques.