Concerns about North Korean IT workers quietly embedding themselves inside cryptocurrency companies and decentralized finance (DeFi) projects are resurfacing after a fresh wave of high-profile cyber incidents.
Security researchers say the issue may be deeper than isolated hacks, pointing instead to a long-running strategy that combines legitimate employment, technical expertise, and financial motives.
Taylor Monahan, a developer linked to crypto wallet provider MetaMask, said on Sunday that North Korean IT workers have been actively participating in building blockchain systems for at least seven years.
Her comments suggest that many of these individuals were not operating on the fringes as outside attackers but were hired as regular developers, working remotely alongside international teams and contributing to real products.
“Lots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer,” Monahan wrote, referencing the explosive growth period for decentralized finance in 2020. The period witnessed a boom in fresh platforms, all vying to provide lending, trading, and yield-generating services.
North Korean hackers get tricky with scams
It appears that many DeFi systems have been created using the help of North Korean developers. Due to the need to grow fast and stay competitive, developers often hired talented people from all over the world. Such arrangements often included working remotely, which made it difficult to conduct a thorough background check on such candidates.
According to Monahan, over 40 DeFi platforms have used North Korean IT specialists to build their protocols or support the systems’ infrastructure.
She also stressed that the experience listed on their resumes was often legitimate.
In her view, the phrase “seven years of blockchain dev experience” was not fabricated. Many of these workers were skilled engineers with genuine technical backgrounds. The concern, she suggested, lies not in their abilities but in undisclosed affiliations and the possibility that their work could serve broader state-directed objectives.
Security analysts say this approach fits into a larger pattern associated with North Korea’s cyber strategy. Rather than solely concentrating their efforts on conducting cyber hacks, the nation has been increasing its focus on earning money through various means using digital technology, such as stealing cryptocurrency, working as freelancers in information technology, and working remotely as software developers.
Through gaining employment in legitimate companies, individuals will not only make money but also be able to acquire knowledge about how the system operates and possibly find a way to penetrate into the company’s system again in the future.
The Lazarus Group is one of the most commonly associated organizations for engaging in these activities.
According to cybersecurity specialists, the group has already stolen approximately $7 billion in cryptocurrencies since 2017, thus making them one of the most lucrative cybercriminal organizations involved with a nation state.
The organization has been linked to some of the major instances of security breaches in the crypto industry. Such examples include the 2022 breach on the Ronin Bridge leading to losses of nearly $625 million, the 2024 hacking of WazirX worth approximately $235 million, and the 2025 theft from Bybit that involved losses of almost $1.4 billion in crypto. In each case, vulnerabilities on system security, access management, and even internal procedures were revealed by the breaches.
Drift exploit adds urgency to warnings about North Korean cyber threats
Monahan’s warning gained additional urgency following a recent incident involving Drift Protocol. The platform said it had “medium-high confidence” that a $280 million exploit targeting its system was carried out by a group affiliated with the North Korean state.
Although investigations are still ongoing, the case highlights how infiltration and hacking risks can overlap, particularly when attackers possess deep technical knowledge of a system.
According to experts in the field, these issues indicate structural problems in the cryptcurrency space. Most companies working in blockchain have distributed employees, use open-source software, and even have developers based in various locations around the world.
Although such a setup provides opportunities for innovation and fast scaling, there may be certain vulnerabilities that may arise in recruitment, authentication, and management.
As the demand for cryptocurrencies rises, and more money flows into the industry, the temptation of performing complex cyber operations will increase. In today’s reality, the industry faces an issue where the problem of cybersecurity is no longer one of protecting oneself against outside threats but rather of understanding what goes on behind the scene – who is building, managing, and coding for the industry.