North Korean Agents Have Been Inside DeFi For Nearly A Decade, Researcher Says

A $280 million exploit against Drift Protocol last week wasn't just a heist — it was the latest operation tied to a network of North Korean agents who have quietly worked inside some of crypto's biggest projects for years. The involvement of North Korean agents in the cryptocurrency industry has been a growing concern, with recent revelations highlighting their extensive reach and impact.

Security researcher Taylor Monahan has uncovered evidence that North Korean IT workers have been embedded within more than 40 decentralized finance (DeFi) platforms, including well-known projects such as Sushi, Thorchain, Yam, Pickle, Harvest, Reclaim, Swing, Paid, Naos, Shezmu, Qrolli, Saffron, Sifu, Napier, Harmony, Blueberry, Stable, Onering, Elemental, Divvy, La Token, ImperMax, Kira, Cook, Fantom, Ankr, Gamerse, MetaPlay, Spice, Beanstalk, Deltaprime, and others. Their infiltration dates back to the peak of DeFi's popularity, often referred to as "DeFi Summer" in 2020.

Monahan's findings indicate that the North Korean agents' "seven years of blockchain development experience" listed on their resumes is not fabricated. Instead, they have genuinely built and contributed to these protocols, giving them insider knowledge and access to exploit vulnerabilities. This level of integration allows them to carry out sophisticated attacks with minimal detection.

The Lazarus Group, North Korea's state-sponsored cyber operation, has been responsible for an estimated $7 billion stolen from the crypto industry since 2017. Analysts at creator network R3ACH have compiled this figure, which includes major attacks such as the $625 million Ronin Bridge breach in 2022, the $235 million WazirX hack in 2024, and the $1.4 billion Bybit theft in 2025. In 2026 alone, Lazarus reportedly carried out 18 attacks on protocols within three months, with stolen funds funding North Korea's nuclear weapons program.

What sets the Drift Protocol exploit apart is the physical presence of North Korean agents. The protocol confirmed that face-to-face interactions took place, indicating a level of operational exposure that is rare in the world of cybercrime. This suggests that the North Korean agents are not only skilled in cyber operations but also capable of conducting covert in-person meetings, further complicating efforts to trace and prevent their activities.

The involvement of North Korean agents in the crypto industry raises significant concerns about national security and the stability of digital assets. As the DeFi ecosystem continues to grow, so too does the risk of targeted attacks by state-sponsored groups. The recent exploits highlight the need for enhanced security measures, better protocol audits, and improved collaboration between the crypto community and law enforcement agencies to mitigate these threats.

The extent of North Korean infiltration into DeFi platforms also raises questions about the role of third-party proxies in these operations. While the Lazarus Group is the primary suspect, it's possible that other entities are being used as intermediaries to obscure the true origin of these attacks. This adds another layer of complexity to the investigation and underscores the need for a more comprehensive approach to combating cyber threats in the crypto space.

In conclusion, the North Korean agents' presence within the DeFi ecosystem is a troubling development that has been ongoing for nearly a decade. Their ability to infiltrate major projects and execute large-scale exploits highlights the vulnerabilities in the industry and the urgent need for improved security practices. As the cryptocurrency market continues to evolve, it will be crucial for stakeholders to remain vigilant and proactive in addressing these threats to protect both users and the broader financial system.