Solana DEX Stabble Urges Emergency Liquidity Withdrawal After Former CTO Linked to North Korea

Stabble sounds the alarm: immediate liquidity withdrawal requested

Solana-based decentralized exchange Stabble issued an urgent call on April 7 for all users to immediately pull their liquidity from the platform. The emergency measure came after the team discovered that a former chief technology officer had been flagged by on-chain investigator ZachXBT as a DPRK-linked individual.

«EMERGENCY! guys please temporally withdraw your liquidity instantly! Better safe than sorry. The new stabble team.» — stabble (@stabbleorg), original post

In the wake of the announcement, Stabble's TVL (Total Value Locked) plummeted from $2 million to $600,000 within 24 hours as users rushed to remove their assets.

Why this matters

The Stabble incident unfolds against a backdrop of heightened cybersecurity concerns across the crypto industry. Since early April, the community has been on high alert following the Drift Protocol hack, which resulted in losses exceeding $280 million. Investigators later attributed that attack to a North Korean hacking group that spent six months infiltrating the protocol's development team through in-person meetings and social engineering.

The revelation that a former Stabble employee had ties to North Korea deepens fears about DPRK operatives embedding themselves within DeFi projects. In March, North Korean hackers were also suspected in an attack on crypto e-commerce platform Bitrefill.

Inside the Stabble situation

The Stabble team emphasized that the platform itself was not breached and no user funds were compromised. Nevertheless, the new leadership opted for a preemptive approach, prioritizing user safety over business continuity.

Solana Foundation's Head of Product Vibhu Norby provided additional context in a public response:

«For anyone reading this and wants a more thoughtful explanation, I have gathered details here: — Team learned today that former CTO (let go one year ago) was the same person that ZackXBT flagged as DPRK — Fully new team acquired Stabble recently to take it forward — There is…» — vibhu (@vibhu), original post

According to Norby, the team learned that the former CTO — who had been let go a year earlier — was the same person ZachXBT identified as being linked to North Korea. A completely new team recently acquired Stabble to continue its development. While no known vulnerabilities or issues were found, the project chose to act cautiously and asked users to withdraw as a precaution.

Concerns over hidden backdoors

Some community members have speculated that North Korean hackers could have planted backdoors or other security vulnerabilities in the project's codebase during the former CTO's tenure. This appears to be the primary concern driving the new team's decision — if the code contains hidden exploits, they could be triggered at any time.

Stabble also announced a complete leadership overhaul. The current team positions itself as an entirely new group with no connection to the previous management.

A growing pattern of DPRK cyber operations

Cybersecurity anxiety within the Solana ecosystem and the broader DeFi space continues to intensify. The Drift Protocol incident, where DPRK-linked attackers stole over $280 million, stands as one of the largest hacks in recent months. The attackers' methodology — long-term infiltration through social engineering and personal relationships with developers — renders conventional security measures insufficient.

The Stabble case demonstrates that even projects that haven't been directly hacked are now forced to take drastic action when employee ties to North Korea surface. Personnel security is rapidly becoming a top priority for the entire DeFi industry.