Expert Says North Korean IT Workers Helped Build Top Protocols During DeFi Summer

Cybersecurity researcher Taylor Monahan has recently claimed that North Korean-linked IT workers have been operating within the decentralized finance (DeFi) ecosystem for years, contributing to many well-known protocols during the "DeFi summer" era of 2020. In a series of tweets, Monahan revealed that these individuals were not faking their resumes, as previously suspected, but were instead genuinely involved in the development of prominent DeFi platforms. This revelation has raised concerns about the extent of North Korean involvement in the crypto space and the potential impact on the industry.

Monahan's findings challenge earlier assumptions that North Korean developers were merely fabricating their credentials to gain entry into the DeFi sector. Instead, she argues that these workers were actively contributing to the development of several high-profile projects, including SushiSwap, THORChain, Yearn, Harmony, Ankr, and Shiba Inu, among others. The years of blockchain development experience listed on their resumes were often genuine, indicating real technical contributions rather than fabricated credentials.

When asked for specific examples of North Korean involvement, Monahan pointed to projects like Yearn, which stood out for their strict approach to security. The team relied heavily on peer review and maintained a high level of skepticism toward contributors, which helped limit potential exposure compared to other projects. However, this does not mean that all projects were equally secure, as Monahan's research suggests that many other DeFi platforms were infiltrated by North Korean actors.

Monahan's warning extends beyond the initial infiltration of DeFi protocols. She has indicated that the tactics used by these groups have evolved, and they are now potentially using non-North Korean individuals to carry out parts of their operations, including in-person interactions. This expansion of their modus operandi raises concerns about the increasing complexity and sophistication of cyber threats in the crypto space.

According to Monahan's estimates, these entities may have collectively extracted at least $6.7 billion from the crypto space during this period. North Korea has continued to dominate crypto-related cybercrime, emerging as the largest state-backed threat in the sector. A report by Chainalysis in 2025 highlighted that DPRK hackers stole at least $2.02 billion in digital assets, a 51% increase from 2024. This accounts for 76% of all service-related breaches. While there were fewer attacks, the scale was significantly larger, and Chainalysis attributed this to the state-backed groups' use of infiltrated IT workers who gain access to crypto firms, including exchanges and custodians, before major exploits take place.

Once funds are stolen, these actors typically move assets in smaller transactions to avoid detection. The impact of these attacks is not limited to the financial losses but also extends to the broader trust and stability of the crypto ecosystem. As more investors and users become aware of the risks posed by state-sponsored cyber threats, it could lead to increased regulatory scrutiny and stricter security measures in the industry.

Monahan's research underscores the need for greater vigilance and collaboration among DeFi protocols, developers, and regulators to mitigate the risks posed by North Korean and other state-sponsored actors. While the DeFi space has grown rapidly, it has also become a lucrative target for cybercriminals, highlighting the importance of prioritizing security and transparency in the development and deployment of new protocols.

In conclusion, the revelation that North Korean IT workers were actively involved in the development of prominent DeFi platforms during the "DeFi summer" of 2020 has significant implications for the crypto ecosystem. It not only challenges previous assumptions about the legitimacy of their credentials but also highlights the scale and sophistication of state-sponsored cyber threats in the industry. As these threats continue to evolve, it is crucial for the crypto community to remain alert and take proactive measures to safeguard against such attacks, ensuring the stability and growth of the DeFi sector.