North Korean hackers hacked crypto for seven years
North Korean IT workers have been injecting themselves into crypto companies and decentralized finance projects for at least seven years, a cybersecurity analyst said.
MetaMask developer and security researcher Taylor Monahan said on Sunday, “Many DPRK IT workers have built protocols they know and love, right up to the summer of DeFi.
Monahan said more than 40 DeFi platforms, some of which are well-known names, have had North Korean IT staff working on their protocols.
The “seven years of blockchain dev experience” in their description is “not a lie,” she added.
The Lazarus Group is a North Korean-linked hacking group that has stolen an estimated $7 billion in crypto since 2017, according to analysts at creator network R3ACH.
He has been associated with some of the industry's most high-profile hackers, including the $625 million Ronin Bridge exploit in 2022, the $235 million Wazir X hack in 2024, and the $1.4 billion Baybit hack in 2025.
Monahan's comments came just hours after he said he had “moderately high confidence” that Drift Protocol's recent $280 million exploit was a North Korean government-linked group.
DeFi execs talk about DPRK infiltration attempts
“We interviewed someone who was a Lazarus operation,” says Tim Ahl, founder of Titan Exchange, a Solana-based DEX aggregator.
Ahl said the candidate “did video calls and was very qualified.” He refused the in-person interview and later found his name in Lazarus' “data dump”.
The US Office of Foreign Assets Control has a website where crypto businesses can screen their partners against updated OFAC sanctions lists and identify patterns consistent with IT employee fraud.
Related: Drift Protocol Says $280M Exploit Took ‘Deliberate Months'
The Drift Protocol is aimed at DPRK third-party intermediaries
Drift Protocol's postmortem of last week's $280 million exploit also pointed to hackers with North Korean ties to the attack.
However, the face-to-face meetings ultimately ended up being exploitative, not with North Korean nationals, but with “third-party intermediaries” who had “fully developed identities, public credentials, and professional networks, including work histories.”
“Years later, and Lazarus now seems to be non-NK [North Koreans] They are working to get people to meet them in person,” said Ahl.
Threats through job interviews are not sophisticated
The Lazarus Group is the collective name for “all DPRK government-sponsored cyber actors,” blockchain sleuth ZackXBT revealed on Sunday.
“The key issue is getting everyone to put it all together as the complexity of threats varies,” he added.
According to ZackXBT, threats made through job postings, LinkedIn, email, Zoom or interviews are “basic and not at all sophisticated…so the only thing they're lacking is deterrence.”
“If you or your team still fall for them in 2026, you're going to be very complacent,” he said.
Magazine: Over 85% Of Bitcoin Will Not Collapse, Taiwan Needs Reserves For BTC War: Hodler Digest
