North Korea-linked entities have been quietly integrating into cryptocurrency companies and DeFi teams for years, and a series of high-stakes exploits linked to the country’s cyber equipment has raised new concerns about insider risk.
summary
According to one security researcher, North Korea-related developers have worked within more than 40 DeFi projects over the past seven years. Investigators and industry insiders warn that many intrusion attempts rely on simple but persistent tactics through recruitment channels and social engineering.
Security researcher and MetaMask developer Taylor Monaghan said these tactics date back to the early days of decentralized finance, with individuals linked to the Democratic People’s Republic of Korea contributing to several widely used protocols.
“Back in the summer of DeFi, many North Korean IT personnel built the protocols you know and love,” she said Sunday, adding that more than 40 platforms, including some well-known projects, relied on such developers at some point.
However, she pointed out that the “seven years of blockchain development experience” listed on her resume is “not a lie.”
Investigators have long linked North Korean cyber activity to the Lazarus Group, a state-sponsored group believed to have stolen about $7 billion in digital assets since 2017, according to analysts at R3ACH.
The group is responsible for some of the industry’s largest breaches, including the $625 million Ronin Bridge exploit in 2022, the $235 million WazirX hack in 2024, and the $1.4 billion Bybit scandal in 2025.
Last week’s $280 million Drift Protocol exploit has received renewed attention. The project said it had “moderate to high confidence” that a North Korean state-linked group was behind the attack and linked the incident to a broader pattern of infiltration and social engineering.
However, the face-to-face meetings leading up to the leak were not conducted by North Korean nationals, but by “third-party intermediaries” using “fully developed identities, including employment history, official qualifications, and professional networks.”
These profiles included work history, official qualifications, and active professional networks, allowing trust to be built through direct interaction before exploitation unfolded.
Independent blockchain researcher ZachXBT warned in a recent X post that not all threats related to North Korea operate at the same level of sophistication.
“The main problem is that when the threats are of different complexity, everyone groups them together,” he said.
He explained that many intrusion attempts are relatively simple and rely on persistence rather than technical complexity. Outreach through job listings, LinkedIn, email, Zoom calls, and interview processes remains common.
“The only thing that is fundamental and never sophisticated (…) is that they are relentless,” he said, adding that teams that continue to fall into such tactics in 2026 risk being seen as negligent.
