Security concerns rise over insider threats in decentralised finance systemsPhoto Credit: Unsplash/Shubham Dhage

IT Workers From North Korea Have Been Infiltrating DeFi Platforms for Past 7 Years

by · Gadgets 360

Highlights

  • Researcher links DPRK workers to over 40 DeFi platforms
  • Social engineering tactics used in major exploit cases
  • Lazarus group tied to multi-billion crypto thefts

Security researcher Taylor Manonan has claimed that North Korean IT workers have been infiltrating DeFi platforms for the past 7 years. This includes over 40 DeFi platforms, which she listed in a post on X. She further added that seven years of DeFi experience on their resumes is not a lie, cause they have built all the critical protocols that run on each of these DeFi platforms. This data revelation came hours after the Drift Protocol disclosed a $280 million (roughly Rs. 2,600 crore) exploit, which also had a DPRK group behind it. 

Long-Term Infiltration Raises Concerns Over DeFi Security Risks

Drift Protocol, which fell prey to this scam were completely oblivious. In a post on X, Drift Protocol explained that this was not a typical hack, but a months-long, highly coordinated social engineering operation. Bad actors posed as a legitimate trading firm, met the execs at Drift Protocol at a lot of crypto events. They even invested a million dollars in capital on the platform. Over time, they managed to trick team members into interacting with malicious code and apps, likely compromising their devices and gaining access to critical systems. This operation is now linked to a DPRK group called UNC4736. 

This is not the first time that a DPRK group has been part of such a scam. As per the analysts at Creator Network R3ACH, the Lazarus group has stolen over $7 billion (roughly Rs. 65,000 crore) in crypto since 2017. These attacks include a $625 million (roughly Rs. 5,803 crore) scam of Ronin Bridge in 2022, the $235 million (roughly Rs. 2,182 crore) WazirX exploit in 2024, and $1.4 billion (roughly Rs. 13,000 crore) Bybit heist in 2025, which is also the biggest hack on their timeline. 

Bitcoin Trades Near $69,000 as Mixed Signals Keep Market Range-BoundCrypto market lacks strong momentum as traders track macro and flow signals.Rahul Dhingra, Rohan Pal, 06 Apr 2026

Commenting on this issue, Tim Ahhl, the founder of the Titan Exchange, which is a Solana-based Dex aggregator, said that in a previous job, “we interviewed someone who turned out to be a Lazarus executive.” Ahhl further added that the candidate “did video calls and was extremely qualified”. The bad actor declined an in-person interview, and the execs at Titan Exchange later found his name in a Lazarus “info dump.”

Circle Unveils cirBTC Token to Expand Bitcoin’s Role in DeFi EcosystemNew token aims to bring Bitcoin into decentralised finance applications.Rahul Dhingra, Ketan Pratap, 03 Apr 2026Crypto Hack Losses Drop to $168.6 Million in Q1 2026 Despite Ongoing RisksDeFi exploits decline year-on-year, but major vulnerabilities persist.Rahul Dhingra, Ketan Pratap, 03 Apr 2026

Earlier this year, the US Treasury had sanctioned individuals and entities tied to a North Korea-linked IT worker scheme that allegedly used fake identities to secure remote tech jobs and funnel earnings through cryptocurrency. Officials say the network helped generate illicit revenue for the North Korean regime.

Cryptocurrency is an unregulated digital currency, not a legal tender and subject to market risks. The information provided in the article is not intended to be and does not constitute financial advice, trading advice or any other advice or recommendation of any sort offered or endorsed by NDTV. NDTV shall not be responsible for any loss arising from any investment based on any perceived recommendation, forecast or any other information contained in the article.