It Turns Out Your Favorite DeFi Protocol Has a Pyongyang Developer on LinkedIn

North Korean IT workers have been embedding themselves in crypto companies and decentralized finance projects for at least seven years, according to a cybersecurity analyst. That's right—while you were busy apeing into yield farms, some developer in Pyongyang was quietly collecting salary in USDC and probably has a better GitHub contribution graph than your entire team.

"Lots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer," said MetaMask developer and security researcher Taylor Monahan on Sunday. Your favorite yield-generating meme coin machine? Yeah, probably built by someone whose government considers "financial sovereignty" to mean "taking yours."

Monahan claimed that over 40 DeFi platforms, some being well-known names, have had North Korean IT workers working on their protocols. The "seven years of blockchain dev experience" on their resume is "not a lie," she added. Turns out when your entire country runs on state-mandated overtime, you actually do get stuff done. Who knew?

The Lazarus Group is a North Korean-affiliated hacking collective that has stolen an estimated $7 billion in crypto since 2017, according to analysts at creator network R3ACH. It has been linked to the industry's highest-profile hacks, including the $625 million Ronin Bridge exploit in 2022, the $235 million WazirX hack in 2024 and the $1.4 billion Bybit heist in 2025. That's more money than most sovereign wealth funds. They're basically running a nation-state hedge fund with better ROI than Three Arrows Capital ever dreamed of.

Monahan's comments came just hours after the Drift Protocol said it had "medium-high confidence" that the recent $280 million exploit against it was carried out by a North Korean state-affiliated group. Medium-high confidence. Somewhere between "probably the Koreans" and "we're pretty sure it's the Koreans." Groundbreaking stuff.

DeFi execs speak up on DPRK infiltration attempts

Tim Ahhl, founder of the Titan Exchange, a Solana-based DEX aggregator, said that in a previous job, "we interviewed someone who turned out to be a Lazarus operative." Nothing like finding out your star candidate's real employer makes the US Treasury's sanctions list.

Ahhl said the candidate "did video calls and was extremely qualified." He declined an in-person interview and they later discovered his name in a Lazarus "info dump." Classic remote work era red flag: great on Zoom, absolutely refuses to meet in person. Should've been your first hint.

The US Office of Foreign Assets Control has a website where crypto businesses can screen counterparties against updated OFAC sanctions lists and be alert to patterns consistent with IT worker fraud. Yes, there's a website. No, your compliance team probably hasn't checked it since 2021.

Drift Protocol targeted by DPRK third-party intermediaries

Drift Protocol's postmortem on last week's $280 million exploit also pointed to North Korean-affiliated hackers for the attack. However, it said the face-to-face meetings that eventually led to the exploit were not with North Korean nationals, but rather "third-party intermediaries" with "fully constructed identities including employment histories, public-facing credentials, and professional networks." So now they're not even doing their own dirty work—they've got unwitting Western recruiters out here doing the hiring for them. The division of labor is impressive, honestly.

"Years later, and it seems Lazarus now has non-NKs [North Koreans] working for them to con people in person," said Ahhl. The grift has evolved. It's like MLMs, but with nation-state backing and better dental.

Threats via job interviews are not sophisticated

Lazarus Group is the collective name for "all DPRK state-sponsored cyber actors," explained blockchain sleuth ZachXBT on Sunday. "The main issue is that everyone groups them all together when the complexity of threats is different," he added. Not all hackers are created equal. Some are elite nation-state operators, others are just really persistent LinkedIn recruiters.

ZachXBT said that threats via job postings, LinkedIn, email, Zoom, or interviews are "basic and in no way sophisticated … the only thing about it is they're relentless." It's not clever social engineering—it's just spam with a government budget. If you're getting phished by a LinkedIn message in 2026, the joke's on you.

"If you or your team still falls for them in 2026, you're very likely negligent," he said. Ouch. But honestly? Fair.