North Korean IT Workers Embedded in DeFi Projects for Seven Years, Analyst Says

Highlights:

• North Korean IT workers spent seven years inside DeFi teams and helped build real crypto protocols.
• Lazarus Group has stolen about $7 billion in crypto through fewer but larger attacks.
• Crypto firms still miss infiltration risks during hiring despite repeated interview-based entry attempts.

North Korean IT workers have spent at least seven years working inside crypto companies and DeFi projects, according to a post by security researcher and MetaMask developer Taylor Monahan. In the post shared on Sunday, she said these workers joined teams as developers and helped build widely used DeFi protocols. She also said their resumes showing years of blockchain experience were accurate. Crypto companies hired them after interviews confirmed their coding ability.

🚨ALERT: NORTH KOREAN DEVS HAS BEEN BUILDING CRYPTO'S BIGGEST PROTOCOLS RIGHT UNDER OUR NOSES

DPRK IT workers have been embedded inside major crypto protocols since DeFi Summer, quietly building the very platforms millions of users trust daily, on-chain analyst Tay (@tayvano_)… pic.twitter.com/sUSjdwXn7B

— BSCN (@BSCNews) April 6, 2026

Taylor Monahan said more than 40 DeFi platforms employed these workers between 2020 and 2026. She said this activity began during DeFi summer, when projects rushed to launch new products. During that period, many companies hired remote developers to meet demand. Some teams reduced identity checks to speed up hiring. These workers used that gap to enter teams and secure long-term roles.

She said these workers contributed code, maintained smart contracts, and supported daily protocol operations. She named projects such as Yearn, Sushi, and Fantom as examples of possible exposure. These workers were part of engineering teams that managed live user funds. They accessed codebases, deployment tools, and internal communication channels. This access placed them inside the core structure of several DeFi platforms.

This position allowed them to understand how each protocol handled transactions and stored assets. They reviewed system designs and observed how teams fixed bugs and handled upgrades. This knowledge helped them identify weak points inside the systems.

North Korean IT Workers Drive Billion-Dollar Crypto Theft Activity

This infiltration links to the Lazarus Group, which analysts associate with North Korea’s cyber operations. Analysts at R3ACH Network said the group has stolen about $7 billion in crypto since 2017. They also reported that the group stole about $2.02 billion last year alone. These attacks did not happen frequently, but each one targeted large amounts. This pattern shows a shift toward fewer and larger thefts.

The Ronin Bridge attack resulted in losses of about $625 million. The WazirX hack caused losses of about $235 million. The Bybit breach led to losses of about $1.4 billion. Earlier this month, Drift Protocol reported a $280 million exploit and linked it to North Korean actors. Each attack followed a planned sequence rather than a quick breach.

In its postmortem, Drift Protocol said attackers prepared the exploit over several months. The attackers used social engineering to gain access through trusted interactions. They did not break in directly but used access points already inside the system.

Hiring Channels and Proxy Identities Expand the Threat Network

Crypto companies have been encountering North Korean IT workers during the hiring processes. Tim Ahhl, founder of Titan Exchange, said his team interviewed a candidate later linked to Lazarus. He said the candidate passed interviews and completed technical discussions without issues. The candidate joined video calls and answered questions in detail. However, the candidate refused to attend an in-person meeting. Later checks linked the identity to a Lazarus information dump.

at a previous job, we interviewed someone who turned out to be a Lazarus operative. he did video calls and was extremely qualified

we invited him for in person interviews and he ultimately declined to fly out, so we passed

only later did we find his name in a Lazarus info dump… https://t.co/Vnvffrkjee

— tim | Titan (@timahhl) April 5, 2026

Drift Protocol said attackers used intermediaries to approach teams during hiring and collaboration stages. These intermediaries created identities with employment records, public profiles, and references. They communicated through normal channels such as email and video meetings. Teams treated them as legitimate candidates or partners during discussions. This process allowed them to build trust before any exploit took place.

Blockchain investigator ZachXBT said attackers use simple methods to reach targets. He said they contact teams through job listings, LinkedIn messages, and direct emails. He also said they repeat these attempts until a company responds.