North Korea-linked operators have spent years quietly embedding themselves within crypto firms and DeFi teams, raising renewed concerns about insider threats following a series of major exploits tied to the country’s cyber network.
Summary
Developers linked to North Korea have worked across more than 40 DeFi projects over the past seven years, according to a security researcher.
Experts say many infiltration attempts rely on simple but persistent tactics, including hiring channels and social engineering.
Security researcher and MetaMask developer Taylor Monahan said such activity dates back to the early days of DeFi.
Long-term infiltration across DeFi
Taylor Monahan warned that individuals tied to North Korea have been involved in building and contributing to widely used DeFi protocols for years.
She stated that developers connected to the country have worked on more than 40 platforms, including several prominent projects, since the early “DeFi summer” era. Despite concerns, she noted that their technical experience is often genuine, making detection more difficult.
Links to major cyberattacks
Investigators have long associated North Korea’s cyber activities with the Lazarus Group, a state-backed entity believed to have stolen billions in digital assets since 2017.
The group has been linked to some of the largest crypto breaches, including the Ronin Bridge exploit (2022), the WazirX hack (2024), and the Bybit incident (2025), highlighting the scale of its operations.
Drift Protocol exploit raises fresh alarms
A recent $280 million exploit involving Drift Protocol has intensified scrutiny. The project said it has “medium-high confidence” that a North Korean-affiliated group was responsible, pointing to a broader pattern of infiltration and manipulation.
Notably, the individuals involved in pre-attack interactions were not directly identified as North Korean nationals but operated through intermediaries using carefully constructed identities. These included detailed work histories, public profiles, and professional networks, allowing them to build credibility before executing the attack.
Simple tactics, persistent execution
Blockchain investigator ZachXBT emphasized that not all threats tied to North Korea are highly sophisticated.
He noted that many operations rely on basic methods—such as job applications, LinkedIn outreach, email communication, and interviews—combined with persistence. According to him, the effectiveness of these tactics lies not in complexity but in consistency, warning that teams still falling for them risk being seen as negligent.
Key takeaway
The situation highlights a growing concern in the crypto industry:
Insider threats may be as significant as external hacks
Even simple social engineering tactics can have major consequences
Long-term infiltration makes detection and prevention increasingly difficult.
