For years, individuals linked to North Korea have been secretly working within cryptocurrency businesses and decentralized finance projects.
A Long-Standing Crypto-Infiltration Saga
News coming from North Korea often sounds like something out of a conspiracy thriller. Surprisingly, these reports are usually accurate and rarely exaggerated.
On Sunday, security researcher and MetaMask developer Taylor Monahan explained on X (formerly Twitter) that these hacking techniques are old, originating from the early days of decentralized finance (DeFi). He noted that individuals connected to North Korea have been subtly involved in contributing to several popular DeFi protocols.
Yuppppppp
Lots of DPRK IT Workers built the protocols you know and love, all the way back to defi summer
The “7 years blockchain dev experience” on their resume is not a lie.
— Tay (@tayvano_) April 5, 2026
According to her, North Korean IT professionals have been secretly involved in over 40 decentralized finance (DeFi) projects for about seven years, even contributing to some of the most well-known platforms that gained popularity during the 2020 DeFi boom.
A long list of cryptocurrency and DeFi project names is provided, including Sushi, Thorchain, Yam, Pickle, Harvest, Reclaim, and many others like Ankr, Fantom, and Beanstalk.
— Tay (@tayvano_) April 5, 2026
These individuals typically possess significant blockchain development experience – often around seven years – but use fake or compromised identities when applying for jobs through standard hiring processes.
She alleges that a highly skilled job applicant they recently interviewed was actually connected to Lazarus, a North Korean hacking group known for laundering billions of dollars through cryptocurrency. Her claims are in response to Tim, a prominent figure associated with Titan, a platform that helps people trade cryptocurrencies on the Solana network.
We once interviewed a highly qualified candidate who we later discovered was working undercover as part of a Lazarus operation. He participated in video interviews and seemed very capable.
we invited him for in person interviews and he ultimately declined to fly out, so we passed
only later did we find his name in a Lazarus info dump…
— tim | Titan (@timahhl) April 5, 2026
Crypto investigator ZachXBT responded, clarifying that the activity isn’t just from the group known as ‘Lazarus,’ but from a larger network of North Korean cybercrime units – including Lazarus, APT38, and AppleJeus – all coordinated by the Reconnaissance General Bureau and focused on stealing money. They typically start by contacting people through platforms like LinkedIn and job boards, conducting interviews, and using Zoom, then securing remote developer positions that companies often grant without enough caution.
Lazarus Group is the collective name for all DPRK state sponsored cyber actors.
The main issue is everyone groups them all together when the complexity of threats are different.
Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way…
— ZachXBT (@zachxbt) April 5, 2026
As a crypto investor, I’m really concerned about the recent reports. It looks like North Korean IT groups are still heavily involved in hacking and stealing crypto to fund their weapons programs. The Treasury Department and Chainalysis have uncovered evidence showing they raked in around $800 million just this year, and billions since 2017. It’s disturbing to think that my investments – and the broader crypto space – could be unintentionally supporting these activities. It highlights the need for better security and tracking within the crypto world.
New Information On The Crypto-Hack On Drift Protocol
A $285 million hack on Drift Protocol on April 1st has raised concerns about potential involvement by North Korean hackers. Drift Protocol confirmed on Saturday that reports connecting the attack to North Korean hacking groups were accurate, renewing fears of insider threats from the country.
— Drift (@DriftProtocol) April 5, 2026
Investigators believe the attack was likely carried out by UNC4736, a hacking group linked to North Korea, though they aren’t completely certain. They estimate the probability at a medium level of confidence.
The attackers used a sophisticated social engineering scheme to gain access, creating fake professional identities and meeting Drift contributors at conferences in multiple countries. They built up believable backgrounds and networks before launching their attack, having compromised contributors through deceptive practices and malicious developer tools.
The attackers tricked developers by hiding harmful code within the settings of popular coding tools like VS Code and Cursor. This allowed them to deliver a compromised project that unknowingly ran on contributors’ computers. Because of how it worked, this attack resembles a supply chain compromise carried out by someone with inside access more than a typical smart contract hack.
Following the attack, Ledger’s CTO, Charles Guillement, suggested it was connected to the $1.4 billion hack of Bybit, which authorities believe was carried out by North Korean cyber units. Later, on Friday, the blockchain analysis firm Elliptic published a report finding similarities between this attack and previous operations linked to North Korea, including how money was moved and network patterns. Bitcoinist reported on these findings.
Market Implications
The ongoing issue of cryptocurrency hacking has become a significant threat to national security. Authorities are increasing their scrutiny and applying sanctions to IT networks linked to North Korea, and we can expect even stricter measures in the future.
Major security breaches, especially those connected to governments or large entities, create ongoing risks for decentralized finance (DeFi). These risks can lead to increased insurance costs, potential removal from exchanges, disagreements about how to compensate victims, and prolonged periods of decreased trading activity for tokens and perpetual futures.
Cover image from Perplexity. BTCUSDT chart from Tradingview.
Read More
- Silver Rate Forecast
- Gold Rate Forecast
- XRP’s Dramatic Ascent! 🚀
- Europe’s Largest Asset Manager Just Chose Chainlink, But LINK Still Can’t Break $10
- Cardano: The Comeback Kid or Just Another Crypto Clown?
- Coinbase’s Comedy of Errors: The Clarity Act and Its Wacky Stablecoin Saga!
- Bitcoin Mayhem, XRP Sorcery & SBI’s Alchemical Treasures – Gogolian Crypto Chronicles!
- Bitcoin’s Blue-Collar Holders Hit Pause-Are They Bored or Just Lazy? 🤔💸
- Husky Inu Hits $0.00023567! Bitcoin Rises! 🐕💰
- Crypto King Buys £22M Mansion While UK Market Cries “Poor Me”
2026-04-06 15:58