North Korean IT Workers Infiltrate Major DeFi Protocols for Seven Years

Severity: High (Score: 73.3)

Sources: Cryptorank, Bitget

Summary

Recent findings reveal that North Korean IT workers have been involved in the development of decentralized finance (DeFi) protocols for at least seven years. Cybersecurity researcher Taylor Monahan disclosed that over 40 DeFi platforms, including well-known projects, have had contributions from these workers, particularly during the DeFi summer of 2020. This infiltration marks a strategic shift from direct cyberattacks to legitimate development roles, allowing North Korean operatives to gain technical skills and operate within legal boundaries. The Lazarus Group, a North Korean hacking collective, has been linked to significant crypto thefts, including the $1.4 billion Bybit heist in 2025. The Drift Protocol recently reported a $280 million exploit believed to be connected to North Korean-affiliated hackers. The decentralized nature of blockchain development complicates security vetting, raising concerns about the potential for future exploits. The situation highlights the need for enhanced scrutiny in hiring practices within the crypto industry. Key Points: • North Korean IT workers have contributed to over 40 DeFi platforms for seven years. • The Lazarus Group has been linked to significant cryptocurrency thefts totaling $7 billion since 2017. • The Drift Protocol recently suffered a $280 million exploit attributed to North Korean-affiliated hackers.

Key Entities

• Bureau 121 (apt_group)
• Lazarus Group (apt_group)
• Data Breach (attack_type)
• Ransomware (attack_type)
• Bybit (company)
• Drift Protocol (company)
• Ronin Bridge (company)
• WazirX (company)
• X (company)
• North Korea (country)
• GitHub (platform)