North Korean Developers Secretly Embedded in Major DeFi Projects for Seven Years

Seven Years of Covert Infiltration

MetaMask developer Taylor Monahan has exposed the extent to which North Korean IT workers have penetrated the decentralized finance industry. According to Monahan, DPRK-linked individuals have been securing positions at DeFi projects for at least seven years, dating back to the original "DeFi summer."

"Lots of DPRK IT Workers built the protocols you know and love, all the way back to defi summer. The '7 years blockchain dev experience' on their resume is not a lie." — Tay 💖 (@tayvano_), original post

Monahan named several projects where DPRK-affiliated individuals had worked: SushiSwap, Thorchain, Fantom, Shib, Yearn, Floki, and many others.

Why This Matters

The scale of North Korean developer infiltration raises fundamental questions about the security of codebases powering some of the most widely used DeFi protocols. If individuals tied to state-backed hacking operations had years of access to source code, the potential for embedded vulnerabilities is significant. The discussion emerged alongside a report from the Drift Protocol team, which suffered a $280 million hack that developers attributed to North Korean hackers.

Lazarus Group Encounter: A Cautionary Tale

Monahan's revelation came in response to a post by Tim Ahl, founder of Solana aggregator Titan. Ahl shared that at a previous job, he had interviewed a candidate who later turned out to be a Lazarus Group member. The individual was highly skilled and consistently joined video calls, but refused to attend an in-person meeting — prompting the team to reject the application. His name subsequently appeared in a Lazarus-related data leak. Ahl added that the group now deploys non-North Korean agents who build trust through face-to-face interactions.

ZachXBT: Not All Threats Are Equal

Blockchain investigator ZachXBT, who has repeatedly highlighted DPRK cyber threats targeting the crypto sector, weighed in on the discussion. He clarified that Lazarus Group is a blanket term covering all state-sponsored North Korean cyber actors.

"The main issue is everyone groups them all together when the complexity of threats are different." — ZachXBT (@zachxbt), original post

ZachXBT characterized tactics such as fake job postings, LinkedIn outreach, phishing emails, Zoom calls, and staged interviews as "basic and primitive" schemes. Their primary advantage, he noted, is persistence. Identifying these actors today is relatively straightforward. Only two groups — TraderTraitor and AppleJeus — are capable of executing truly sophisticated attacks.

Verification and Defense Resources

Several tools exist to help crypto teams protect themselves. The U.S. Treasury Department's OFAC maintains a dedicated website where crypto companies can screen counterparties against current sanctions lists and review warnings about common fraud patterns employed by DPRK IT workers.

Taylor Monahan has also built an open-source knowledge base on GitHub, compiling research-backed information on North Korea's activities in the digital asset space. ZachXBT endorsed the repository as a valuable resource.

"@tayvano_ has built a good resource on GitHub that's a wealth of knowledge about DPRK using research collected from a variety of sources" — ZachXBT (@zachxbt), original post

In March, the Lazarus Group was suspected of attacking crypto gift card service Bitrefill, underscoring the persistent and expanding nature of DPRK-linked cyber operations targeting the cryptocurrency sector.