{"id":79618,"date":"2026-04-07T07:01:34","date_gmt":"2026-04-07T07:01:34","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=79618"},"modified":"2026-04-07T07:01:34","modified_gmt":"2026-04-07T07:01:34","slug":"north-korean-agents-have-been-inside-defi-for-nearly-a-decade-researcher-says","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=79618","title":{"rendered":"North Korean Agents Have Been Inside DeFi For Nearly A Decade, Researcher Says"},"content":{"rendered":"<div>\n<p>A $280 million exploit against Drift Protocol last week wasn\u2019t just a heist \u2014 it was the latest operation tied to a network of North Korean agents who have quietly worked inside some of crypto\u2019s biggest projects for years.<\/p>\n<h2>Seven Years Of Cover, 40+ Platforms Breached<\/h2>\n<p>MetaMask developer and security researcher Taylor Monahan said Sunday that North Korean IT workers have been <a href=\"https:\/\/x.com\/tayvano_\/status\/2040668973923189123\" target=\"_blank\" rel=\"noopener nofollow\">embedded<\/a> inside more than 40 decentralized finance platforms, some of them household names in the crypto space.<\/p>\n<p>Their infiltration goes back to what the industry calls \u201cDeFi Summer\u201d \u2014 roughly 2020, when decentralized finance exploded in popularity.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">oh god uhhhh like sushi, thorchain, yam, pickle, harvest, reclaim, swing, paid, naos, shezmu, qrolli, saffron, sifu, napier, harmony, blueberry, stabble, onering, elemental, divvy, la token, impermax, kira, cook, fantom, ankr, gamerse, metaplay, spice, beanstalk, deltaprime,\u2026<\/p>\n<p>\u2014 Tay <img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f496.png\" alt=\"\ud83d\udc96\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"> (@tayvano_) <a href=\"https:\/\/twitter.com\/tayvano_\/status\/2040668973923189123?ref_src=twsrc%5Etfw\" rel=\"nofollow noopener\" target=\"_blank\">April 5, 2026<\/a><\/p>\n<\/blockquote>\n<p>Monahan said the \u201cseven years of blockchain development experience\u201d these workers list on their resumes isn\u2019t fabricated. They actually built the protocols.<\/p>\n<p>The Lazarus Group \u2014 the name given to North Korea\u2019s <a href=\"https:\/\/www.nccgroup.com\/the-lazarus-group-north-korean-scourge-for-plus10-years\/?afd_azwaf_tok=eyJraWQiOiI1Q0JEQ0JDRUUxRTc5NzMyRDg4MjBGRDM4MDc3MUI4RUFFQTcxNUM4QzY5MkIzNDY1MkYxNjhERDk0N0M5NUM5IiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiJ3d3cubmNjZ3JvdXAuY29tIiwiZXhwIjoxNzc1NDg1NDM0LCJpYXQiOjE3NzU0ODU0MjQsImlzcyI6InRpZXIxLTg0NzhiNTRkNjgtc3pxeGsiLCJzdWIiOiIxMjA6ZDgwZjoxNmY1OjE5Yjk6YzI2YzoyZTZiOjZlNTphNjkwIiwiZGF0YSI6eyJ0eXBlIjoiaXNzdWVkIiwicmVmIjoiMjAyNjA0MDZUMTQyMzQ0Wi0xODQ3OGI1NGQ2OHN6cXhraEMxSEtHcDFiODAwMDAwMDBwOTAwMDAwMDAwMHJjbXoiLCJiIjoiZ2Noc3FKZUlNYVdjUEdBbXNYaHZXVHQ4M2kza0lDWnVFY1dtYV9sQUdKZyIsImgiOiJENXhQYmdHMGdqaWloMVQwekR1RGJQU3haV2RoUXJOZnlOejVqak1scGhjIn19.eP2CmNb2U1CsCkXoWXNll-CL9sdBjxVdCG4M4JuvHGMmQMlpkOfYA64H84Q4pe8duzIMKV3R5Mks2rEDSU9E4TrgdrPJ83lTDgSeK13gfga1DW2gT2Jb5yDUW4nyI3WyObMVvNgdJmBYSZx47w8VKfnHsyAfe3D2mBGtMZV36B56gCaYRGD11B3jjzFeoZZ96HIMF-ryYSdMHCJE28ZlGuCss15gaizqOQqEwMqcJaCUa-DXXwLRETBgqhbVWx7N37oVt4cPiPhYyWZG5MT-IpFVk5LbkqMHw4_aRccxjps20H3hjbMfHPktjodBX0k9y9eRX23WJVYc1lWFuDTcxw.WF3obl2IDtqgvMFRqVdYkD5s\" target=\"_blank\" rel=\"noopener nofollow\">state-sponsored cyber operation<\/a> \u2014 has pulled an estimated $7 billion from the crypto industry since 2017.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Reportedly:<\/p>\n<p>In 2026 Lazarus made 18 attacks on protocols in 3 months<\/p>\n<p>Stolen funds are funding \u201cNorth Korea\u2019s Nuclear Weapons\u201d<\/p>\n<p>It\u2019s the most successful venture fund built on hacks<\/p>\n<p>Here is the complete attack timeline <img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f447.png\" alt=\"\ud83d\udc47\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"> <a href=\"https:\/\/t.co\/GuNL4FTCqv\" rel=\"nofollow\">https:\/\/t.co\/GuNL4FTCqv<\/a> <a href=\"https:\/\/t.co\/7YJzYrTEJj\" rel=\"nofollow\">pic.twitter.com\/7YJzYrTEJj<\/a><\/p>\n<p>\u2014 jussy (@jussy_world) <a href=\"https:\/\/twitter.com\/jussy_world\/status\/2040833023080632551?ref_src=twsrc%5Etfw\" rel=\"nofollow noopener\" target=\"_blank\">April 5, 2026<\/a><\/p>\n<\/blockquote>\n<p>That figure comes from analysts at creator network R3ACH. Major attacks attributed to the group include the $625 million Ronin Bridge breach in 2022, the $235 million WazirX hack in 2024, and the $1.4 billion <a href=\"https:\/\/www.nccgroup.com\/research\/in-depth-technical-analysis-of-the-bybit-hack\/?afd_azwaf_tok=eyJraWQiOiI1MUExNzM1MkJFMzVFNkZCMTE3QUI4MEVDMjhFQjk1NkQ2ODYzNkY5MjA5MENGNENBMTJERTJFREE0MTkxMjY1IiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiJ3d3cubmNjZ3JvdXAuY29tIiwiZXhwIjoxNzc1NDg1NDk1LCJpYXQiOjE3NzU0ODU0ODUsImlzcyI6InRpZXIxLThmY2RkYjdiYy1mOTV6NiIsInN1YiI6IjEyMDpkODBmOjE2ZjU6MTliOTpjMjZjOjJlNmI6NmU1OmE2OTAiLCJkYXRhIjp7InR5cGUiOiJpc3N1ZWQiLCJyZWYiOiIyMDI2MDQwNlQxNDI0NDVaLXIxOGZjZGRiN2JjZjk1ejZoQzFTRzFwc2huMDAwMDAwMGJ3ZzAwMDAwMDAwMmZkYSIsImIiOiJQalhMYU1PYTMzcjA5QzVRNlRSTDk4SjNmdjJwSERkWldPZEtVcW1aZEpzIiwiaCI6InpYRVZ2ZWQ3UW0xTkVIVUI1Rm1kRjZDblJDSll5dmZXM1NVanpLLWZyTDAifX0.FXnb30MslSRdwKNici0gt1qSJs9CD0_3uorkL7d4ycuWv4ZToyTDQbK6R7n7FXnQw8Qp1u9thHLWT04oJQu2tJloCjGZj9PHl4Lsoe-7vqqNsQTNgU2tKD5EeVASZlRfUdrZZb0b1i6wHFtSK0LpWOk3ynlk4oj4GTsdiReZoLWK1bZf4H0SuX0AVtSpaP475dRvl_5FMwUU8icVq7q8_fkAVXXhueMhJwXAsME4Pkemz-1AOwfQhpHqcl7x0LFNdnbP5lyuGOmDfylFhdB0voOh3ZPea0neSqc-_-PbItmwsrII9uue8OUW6z218QgYzyVHdeJQ8zQTngytroK3iQ.WF3obl2IDtqgvMFRqVdYkD5s\" target=\"_blank\" rel=\"noopener nofollow\">Bybit theft<\/a> in 2025.<\/p>\n<h2>Not All North Korean \u2014 Third-Party Proxies Now Involved<\/h2>\n<p>What sets the Drift case apart is who showed up in person. The protocol said that face-to-face meetings connected to the breach were not conducted by North Korean nationals.<\/p>\n<p>Instead, reports indicate the group used third-party intermediaries \u2014 people with built-out fake identities, fabricated employment histories, and professional networks constructed to pass scrutiny.<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"size-full\" src=\"https:\/\/www.tradingview.com\/x\/l8xjPj94\/\" width=\"1835\" height=\"951\"><\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Lazarus Group is the collective name for all DPRK state sponsored cyber actors.<\/p>\n<p>The main issue is everyone groups them all together when the complexity of threats are different.<\/p>\n<p>Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way\u2026 <a href=\"https:\/\/t.co\/NL8Jck5edN\" rel=\"nofollow\">pic.twitter.com\/NL8Jck5edN<\/a><\/p>\n<p>\u2014 ZachXBT (@zachxbt) <a href=\"https:\/\/twitter.com\/zachxbt\/status\/2040666565503524932?ref_src=twsrc%5Etfw\" rel=\"nofollow noopener\" target=\"_blank\">April 5, 2026<\/a><\/p>\n<\/blockquote>\n<p>Sleuth: Companies That Still Fall For This Are Negligent<\/p>\n<p>Blockchain investigator ZachXBT pushed back on how the industry discusses these threats, saying not all attack types carry the same weight.<\/p>\n<p>Recruitment-based schemes \u2014 job postings, LinkedIn outreach, Zoom interviews \u2014 are, in his words, basic. They require no technical sophistication. What makes them effective is sheer persistence.<\/p>\n<p>\u201cIf you or your team still falls for them in 2026, you\u2019re very likely negligent,\u201d ZachXBT wrote.<\/p>\n<p>For companies looking to screen out bad actors, the US Office of Foreign Assets Control maintains a public database where crypto businesses can check counterparties against updated sanctions lists and watch for patterns tied to IT worker fraud.<\/p>\n<p><em>Featured image from Unsplash, chart from TradingView<\/em><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A $280 million exploit against Drift Protocol last week wasn\u2019t just a heist \u2014 it was the latest operation tied to a network of North Korean agents who have quietly worked inside some of crypto\u2019s biggest projects for years. Seven Years Of Cover, 40+ Platforms Breached MetaMask developer and security researcher Taylor Monahan said Sunday [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-79618","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/79618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=79618"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/79618\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=79618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=79618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=79618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}