North Korean Hackers Infiltrated 40+ DeFi Protocols, Stealing $7 Billion

A cybersecurity analyst has revealed that North Korean IT workers have successfully infiltrated more than 40 decentralized finance protocols over the past seven years, embedding themselves in projects dating back to the “DeFi summer” of 2020. The operations are linked to state-sponsored hacking collectives like the Lazarus Group, which is estimated to have stolen $7 billion since 2017.

“Lots of DPRK IT workers built the protocols you know and love, all the way back to DeFi summer,” MetaMask developer and security researcher Taylor Monahan said in a social media post on Sunday. Monahan added that the “seven years of blockchain dev experience” listed on some resumes is “not a lie.”

The revelations connect long-term infiltration strategies to some of the largest thefts in the crypto industry. According to analysts at R3ACH Network, the Lazarus Group has been linked to major exploits including the $625 million Ronin Bridge hack in 2022 and the more recent $280 million exploit of the Solana-based Drift Protocol. The sustained campaign highlights a persistent and evolving threat vector for the entire DeFi ecosystem.

This long-term infiltration poses a significant operational security risk for the crypto industry, forcing protocols to re-evaluate their hiring and counterparty verification processes. The use of sophisticated, non-national intermediaries suggests that simple background checks are no longer sufficient to thwart attacks that may have been in planning for months or even years.

Infiltration Tactics Evolve

The recent $280 million exploit against Drift Protocol shed light on the evolving methods used by these state-affiliated groups. In a postmortem, the Drift team said it had “medium-high confidence” the attack was conducted by a North Korean group. However, the protocol’s developers noted that the individuals they met with in person were not North Korean nationals.

Instead, the attackers used “third-party intermediaries” who had “fully constructed identities including employment histories, public-facing credentials, and professional networks.”

This tactic was corroborated by Tim Ahhl, founder of the Titan Exchange, who recounted a previous experience interviewing a candidate who was later identified as a Lazarus operative. “We interviewed someone who turned out to be a Lazarus operative,” Ahhl said, noting the candidate “did video calls and was extremely qualified” but declined an in-person interview. The U.S. Office of Foreign Assets Control (OFAC) maintains a sanctions list that crypto businesses can use for screening, but these evolving social engineering tactics complicate compliance.

Assessing the Threat

Blockchain analyst ZachXBT cautioned against grouping all North Korean-linked cyber threats together. He explained that Lazarus Group is a collective term for “all DPRK state-sponsored cyber actors,” but the complexity of their attacks varies.

Threats that arrive via job postings, LinkedIn, or email are “basic and in no way sophisticated,” ZachXBT said, adding that their primary advantage is being “relentless.” He argued that falling for such schemes in 2026 indicates a degree of negligence. The more sophisticated attacks, like the one on Drift Protocol, involve months of deliberate preparation and social engineering, representing a much more dangerous threat.

The continued success of these groups underscores a critical vulnerability in the DeFi space, where the ethos of anonymity can be exploited. For projects, especially those with pseudonymous teams, the report is a stark reminder of the need for robust operational security, thorough vetting of contributors, and a zero-trust approach to development and protocol administration.

This article is for informational purposes only and does not constitute investment advice.