North Korean IT workers have been quietly embedding themselves inside cryptocurrency companies and decentralized finance projects for at least seven years, according to a cybersecurity researcher. Taylor Monahan, a developer and security researcher at MetaMask, stated on Sunday that more than 40 DeFi platforms — including some well-known names — have unknowingly employed North Korean workers on their protocols. She noted that the “seven years of blockchain development experience” these individuals list on their resumes is “not a lie,” pointing to their genuine involvement dating back to what the industry calls DeFi summer.
The Lazarus Group, a hacking collective affiliated with the North Korean state, has stolen an estimated $7 billion in cryptocurrency since 2017, according to analysts at creator network R3ACH. The group has been connected to several of the industry’s most damaging breaches, including the $625 million Ronin Bridge exploit in 2022, the $235 million WazirX hack in 2024, and the $1.4 billion Bybit heist in 2025. These incidents have established Lazarus as one of the most persistent financial threats in the digital asset space.
Monahan’s remarks came shortly after Drift Protocol disclosed it had “medium-high confidence” that a recent $280 million exploit against it was carried out by a North Korean state-affiliated group. The protocol’s postmortem on the attack indicated that months of deliberate preparation preceded the breach. Notably, the face-to-face interactions that ultimately enabled the exploit were not conducted by North Korean nationals directly, but by “third-party intermediaries” equipped with fully constructed identities, including employment histories, public-facing credentials, and professional networks.
Tim Ahhl, founder of Titan Exchange, a Solana-based DEX aggregator, shared a personal account of encountering a suspected Lazarus operative during a hiring process at a previous employer. He said the candidate participated in video calls and appeared highly qualified, but declined to meet in person. The individual’s name was later discovered in a Lazarus information dump, confirming suspicions about their true identity. Ahhl suggested the group has evolved its tactics, now using non-North Korean individuals to conduct in-person deception on its behalf.
Blockchain investigator ZachXBT offered additional context on Sunday, clarifying that Lazarus Group serves as a collective label for all North Korean state-sponsored cyber actors. He cautioned against treating the group as a single, uniform threat, noting that the complexity of their operations varies considerably. ZachXBT described threats delivered through job postings, LinkedIn, email, Zoom calls, or interviews as unsophisticated, though he acknowledged their defining characteristic is persistence.
ZachXBT stated that any individual or organization that falls for these tactics in 2026 is “very likely negligent,” given how widely documented the methods have become. The US Office of Foreign Assets Control maintains a publicly accessible website where cryptocurrency businesses can screen counterparties against updated sanctions lists and identify patterns consistent with IT worker fraud. Industry observers continue to urge companies to apply rigorous vetting procedures, particularly for remote hires with blockchain backgrounds, as the scale of infiltration becomes clearer.
Originally reported by CoinTelegraph.
