North Korean IT workers helped build advanced protocols during the DeFi winter, the expert said.

Taylor Monahan claims that North Korean developers have been actively building popular DeFi platforms that later led to billions in crypto losses.

According to cyber security researcher Taylor Monahan, IT personnel linked to North Korea have been working in the decentralized financial ecosystem for years. Monahan said during the “DeFi Summer” of 2020, these actors contributed to many popular protocols.

As her recent tweet read, the blockchain development experience listed on their resumes was often genuine, indicating real technical contributions rather than fabricated credentials.

Years of DeFi penetration

When asked for examples, she pointed to several popular projects including Sushi Swap, THORChain, Yearn, Harmony, Ankr and Shiba Inu. Monahan notes that some groups like Yoren stand out for their strict approach to security, relying heavily on peer review and being highly skeptical of contributors.

She said this helped limit the exposure compared to other projects. Monahan also warned that the tactics have evolved, and these groups are now using non-North Korean individuals to carry out parts of their operations, including in-person communications. According to the security expert's estimate, these entities may have collectively withdrawn at least $6.7 billion from the crypto space during this period.

North Korea continues to dominate crypto-related cybercrime, becoming a major state-sponsored threat in the sector. According to a previous report by Chinalysis, DPRK hackers stole at least $2.02 billion in digital assets in 2025 alone, a 51 percent increase from 2024 and accounting for 76 percent of service-related breaches.

Although the attacks were smaller, the scale was much larger. Chainalysis measures this by state-sponsored groups using in-house IT staff, including crypto companies, before major exploits occur.

Once funds are stolen, these actors move assets in small transactions, with over 60% of transfers under $500,000. Their laundromats are focused on cross-chain tools, hybrid services, and Chinese-language financial networks.

You may also like:

The Security Alliance (SEAL) has previously found that cyberattacks using fake usernames or Microsoft team calls are being carried out by these groups to infect victims with malware. These operations often start with compromised Telegram accounts, where attackers pose as known contacts and invite targets to join a video call.

During the meeting, pre-recorded videos are used to appear legitimate before victims are told to install an intended update, allowing attackers access to their devices instead. Once in, these actors steal sensitive information and reuse compromised accounts to further propagate the attack.

Expanding the attack surface.

Hackers with ties to North Korea were also suspected of being behind the March 1 Bitrefill breach. The attackers are said to have gained access through a compromised employee device and were able to extract credentials that allowed them to gain deep access to internal systems.

They then move to the database sections and withdraw their money from the hot wallet and also use the gift card delivery flow. Indicators such as malware patterns, on-chain behavior and reused infrastructure match previous work linked to the Lazarus and Blunorroff teams.