Highlights:
- North Korean IT employees spent years developing DeFi applications and earning reputable positions as developers.
- Drift scam value of approximately 285M after a six-month operation with trust and false identities.
- Lazarus-linked activity connects infiltration with $7B in crypto theft since 2017
North Korean IT workers have operated within cryptocurrency firms and decentralized finance (DeFi) projects for at least seven years, according to statements from security researchers and recent incident reports. Evidence presented by developers, exchange operators, and affected protocols indicates that these actors established themselves in development environments, contributed to blockchain infrastructure, and, in some cases, facilitated high-value exploits.
Researchers say North Korean IT workers have years of DeFi experience
In an official X post on Sunday, Monahan, a MetaMask developer and security researcher, said that North Korean IT workers had been involved in crypto development for at least seven years. She said many of these individuals had experience that went back to “DeFi summer” and added that their claims of long blockchain development histories were not false.
According to Monahan, more than 40 DeFi platforms have had North Korean IT workers involved in building their protocols. Her remarks connected employment-related infiltration with a wider record of cyber activity attributed to North Korean groups.
The Lazarus Group, a hacking collective linked to North Korea, has stolen an estimated $7 billion in cryptocurrency since 2017, according to analysts at creator network R3ACH. That total includes several of the industry’s largest known breaches over the period.
Among the incidents linked to Lazarus are the $625 million Ronin Bridge exploit in 2022, the $235 million WazirX hack in 2024, and the $1.4 billion Bybit heist in 2025. These attacks remain some of the most widely cited cases in the sector, and their scale has kept attention on the connection between North Korean cyber operations and the crypto market.
Hiring stories show how the infiltration reached crypto firms
Additional comments from industry participants suggested that the issue extended beyond anonymous online work. Tim Ahhl, founder of the Solana-based DEX aggregator Titan Exchange, said that at a previous job, his team interviewed a candidate who later turned out to be a Lazarus operative.
According to Ahhl, the candidate participated in video calls and demonstrated strong qualifications throughout the process. Ahhl said the applicant refused to take part in an in-person interview. He added that the individual’s name was later found in a Lazarus-related “info dump.”
Nevertheless, his account added another example of how North Korean IT workers or linked operatives could pass through ordinary hiring channels while presenting strong technical credentials.
United States authorities have also published resources to help firms identify these risks. The Office of Foreign Assets Control maintains an online tool that allows crypto businesses to screen counterparties against updated sanctions lists. The agency’s guidance also warns firms to watch for patterns associated with IT worker fraud.
Drift describes a six-month operation behind the exploit
The issue took on added significance after Drift Protocol released an incident update on Sunday. The decentralized exchange said it had “medium-high confidence” that the recent exploit against the platform was carried out by a North Korean state-affiliated threat group.
Drift placed the losses at roughly $285 million and described the attack as a structured intelligence operation that unfolded over six months.
According to the protocol, the attackers first contacted contributors at a major crypto conference last fall. Drift said the group presented itself as a quantitative trading firm that wanted to integrate with the protocol. From there, the relationship developed over several months through in-person meetings, Telegram communication, and broader project coordination.
Drift said the group also onboarded an Ecosystem Vault on the platform and deposited $1 million of its own capital. That deposit, along with the repeated interactions, appears to have helped build trust before the exploit was executed. When the attack took place, Drift said the chats and malware connected to the operation were “completely scrubbed.”
