Expert Says North Korean IT Workers Helped Build Top Protocols During DeFi Summer

Cybersecurity researcher Taylor Monahan has recently claimed that North Korean-linked IT workers have been operating within the decentralized finance (DeFi) ecosystem for years, contributing to many well-known protocols during the "DeFi summer" era of 2020. Monahan's revelations challenge previous assumptions that these developers were merely faking resumes, as she asserts that the years of blockchain development experience listed on their resumes were often genuine, indicating real technical contributions rather than fabricated credentials.

When asked for specific examples of the projects these North Korean developers have influenced, Monahan pointed to several prominent platforms, including SushiSwap, THORChain, Yearn, Harmony, Ankr, and Shiba Inu, among many others. These projects, which have collectively enabled billions in crypto transactions, were inadvertently shaped by individuals with ties to North Korea. Monahan's findings highlight a concerning trend of state-sponsored actors infiltrating the DeFi space, leveraging their technical expertise to gain access to critical infrastructure.

Interestingly, some teams, like Yearn, stood out for their strict approach to security, relying heavily on peer review and maintaining a high level of skepticism toward contributors. This cautious approach, Monahan implied, helped limit potential exposure compared to other projects that may have been more vulnerable to infiltration. However, the security expert warned that the tactics used by these groups have evolved, and they are now potentially using non-North Korean individuals to carry out parts of their operations, including in-person interactions. This adaptability raises concerns about the extent of their influence and the difficulty of identifying their activities.

According to Monahan's estimates, these entities may have collectively extracted at least $6.7 billion from the crypto space during this period. North Korea has continued to dominate crypto-related cybercrime, emerging as the largest state-backed threat in the sector. An earlier report by Chainalysis revealed that DPRK hackers stole at least $2.02 billion in digital assets in 2025 alone, a 51% increase from 2024 and accounting for 76% of all service-related breaches. While there were fewer attacks, the scale was significantly larger. Chainalysis attributed this scale to the state-backed groups' use of infiltrated IT workers who gain access to crypto firms, including exchanges and custodians, before major exploits take place.

Once funds are stolen, these actors typically move assets in smaller transactions to avoid detection, further complicating efforts to track and recover the stolen cryptocurrencies. The impact of these attacks extends beyond the financial loss, as it undermines trust in the DeFi ecosystem and raises questions about the security of decentralized platforms.

Monahan's findings underscore the need for increased vigilance and robust security measures within the DeFi community. As the sector continues to grow, the potential for infiltration by state-sponsored actors poses a significant risk to the integrity and stability of these platforms. The challenge for developers and security experts is to balance innovation with the necessary precautions to protect against such threats, ensuring that the benefits of decentralization are not overshadowed by the dangers of cybercrime.

In conclusion, the revelation that North Korean IT workers have been actively contributing to prominent DeFi platforms during the "DeFi summer" era highlights a complex and evolving landscape of cyber threats. While these developers undeniably brought technical expertise to the table, their true allegiances and motivations have had far-reaching consequences, resulting in significant financial losses and eroding trust in the crypto space. As the DeFi ecosystem evolves, it will be crucial for stakeholders to prioritize security and transparency, learning from past mistakes to better safeguard against future infiltration attempts.