North Korean IT workers have been quietly embedding themselves within crypto firms and decentralized finance projects for at least seven years, according to a cybersecurity researcher.
Taylor Monahan, a developer at MetaMask, said Sunday that many developers tied to North Korea have contributed to widely used DeFi protocols dating back to the early “DeFi summer” period. She claimed that more than 40 platforms—including several prominent ones—may have unknowingly relied on such contributors, adding that their claimed years of blockchain experience are often genuine.
The Lazarus Group, a state-linked cybercrime unit, has stolen an estimated $7 billion in cryptocurrency since 2017, according to analysts at R3ACH. The group has been connected to several major breaches, including the 2022 attack on Ronin Bridge, the 2024 hack of WazirX, and the 2025 exploit targeting Bybit.
Monahan’s remarks followed a statement from Drift Protocol, which said it had “medium-high confidence” that a recent $280 million exploit on its platform was carried out by a North Korean state-affiliated group.
Industry executives have also raised concerns. Tim Ahhl, founder of Titan Exchange, recalled interviewing a highly qualified candidate in a previous role who later turned out to be linked to the Lazarus Group. The individual participated in video interviews but refused to meet in person, and was later identified through a leaked dataset tied to the group.
To counter such risks, the Office of Foreign Assets Control provides tools for crypto firms to screen counterparties against its sanctions lists and detect patterns associated with fraudulent IT worker activity.
Drift Protocol said its postmortem on last week’s $280 million exploit points to North Korean-linked actors, but noted that the in-person interactions tied to the breach involved “third-party intermediaries” rather than North Korean nationals.
According to the report, these intermediaries used fully fabricated identities, complete with detailed employment histories, public credentials, and professional networks, to gain trust and access. Tim Ahhl remarked that the Lazarus Group now appears to employ non-North Koreans to carry out in-person deception, suggesting an evolution in their tactics.
Meanwhile, blockchain investigator ZachXBT clarified that “Lazarus Group” is a broad term encompassing multiple state-backed cyber units from North Korea. He emphasized that the threat landscape varies widely, even though such actors are often grouped together.
ZachXBT also downplayed the technical sophistication of common attack methods, noting that scams conducted through job postings, LinkedIn, email, Zoom, or interviews are relatively basic. “The only notable aspect is their persistence,” he said, adding that teams falling for these tactics in 2026 could be considered negligent.
