06.04.2026 08:58

North Korean IT professionals have been embedding themselves within decentralized finance projects for at least seven years, according to Taylor Monahan, a prominent developer behind the popular crypto wallet MetaMask. In a striking social media post, she drew attention to how these operatives have been constructing the very protocols that users worldwide have come to trust and utilize, tracing their involvement back to the era of "DeFi summer." The seven years of blockchain development experience prominently displayed on their resumés, she emphasized, represents genuine expertise rather than fabricated credentials.

The infiltration spans numerous well-known projects in the cryptocurrency space. Among those confirmed to have been affected by North Korean operatives are SushiSwap, Thorchain, Fantom, Shib, Yearn, and Floki, alongside several other protocols that have become foundational to the DeFi ecosystem.

Monahan's observations emerged in response to revelations from Tim Ahl, founder of the Solana-based aggregation platform Titan. Ahl shared a disturbing account from his hiring experience: he had interviewed a candidate who proved to be exceptionally talented and consistently participated in video conferences. However, when the team extended an invitation for an in-person meeting, the applicant categorically refused to travel. Their application was subsequently rejected. Months later, the individual's name surfaced in a leaked database connected to the Lazarus Group, revealing that the organization now employs agents beyond North Korean borders who cultivate personal relationships to earn trust.

These conversations gained momentum following a devastating incident involving the Drift Protocol, which suffered losses amounting to $280 million in a sophisticated hack. The development team publicly attributed the attack to North Korean hackers.

Blockchain investigator ZachXBT, who has consistently warned about North Korean threats to the cryptocurrency industry, contributed valuable context to the discussion. According to his analysis, the Lazarus Group serves as an umbrella term encompassing all state-sponsored cyber actors operating on behalf of North Korea. He cautioned that while these threats are frequently lumped together, the sophistication and complexity of different subgroups vary significantly. Methods such as job postings, LinkedIn outreach, unsolicited emails, Zoom interviews, and standard hiring processes represent what ZachXBT characterized as rudimentary and elementary approaches. The primary weapon employed by these bad actors, he noted, is relentless persistence. Interestingly, he observed that identifying fraudulent applicants has become considerably easier in the current landscape.

Only two specific subgroups continue executing highly sophisticated attacks: TraderTraitor and AppleJeus.

Industry participants have access to verification resources. The U.S. Treasury's Office of Foreign Assets Control maintains a dedicated platform enabling cryptocurrency companies to screen potential counterparties against existing sanctions lists while providing insights into common fraud tactics employed by IT professionals. Additionally, Monahan has compiled an extensive knowledge base on GitHub, aggregating research-based findings about North Korea's activities within the digital asset domain.

In March, the Lazarus Group was also suspected of targeting the cryptocurrency online marketplace Bitrefill, further illustrating the breadth of their ongoing operations.