{"id":95935,"date":"2026-04-06T11:58:49","date_gmt":"2026-04-06T08:58:49","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=95935"},"modified":"2026-04-06T12:00:22","modified_gmt":"2026-04-06T09:00:22","slug":"north-korean-agents-secretly-developed-code-for-leading-defi-projects-for-seven-years","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/north-korean-agents-secretly-developed-code-for-leading-defi-projects-for-seven-years\/","title":{"rendered":"North Korean Agents Secretly Developed Code for Leading DeFi Projects for Seven Years"},"content":{"rendered":"<p>For at least seven years, North Korean IT specialists have been integrating themselves into <a href=\"https:\/\/forklog.com\/en\/news\/what-is-decentralised-finance-defi\">DeFi<\/a> projects. This was stated by <a href=\"https:\/\/forklog.com\/en\/news\/what-is-metamask\">MetaMask<\/a> developer Taylor Monahan.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Yuppppppp<\/p>\n<p>Lots of DPRK IT Workers built the protocols you know and love, all the way back to defi summer<\/p>\n<p>The \u201c7 years blockchain dev experience\u201d on their resume is not a lie. <a href=\"https:\/\/t.co\/EQNgl5KhJ5\">https:\/\/t.co\/EQNgl5KhJ5<\/a><\/p>\n<p>\u2014 Tay \ud83d\udc96 (@tayvano_) <a href=\"https:\/\/twitter.com\/tayvano_\/status\/2040664577168547920?ref_src=twsrc%5Etfw\">April 5, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cMany IT workers have been building the protocols you know and love since the days of &#8216;DeFi summer&#8217;. The seven years of blockchain development experience on their resume is not a lie,\u201d she wrote.<\/em><\/p>\n<\/blockquote>\n<p>Among those affected by North Korean individuals, the expert <a href=\"https:\/\/x.com\/tayvano_\/status\/2040668973923189123\">highlighted<\/a> SushiSwap, Thorchain, Fantom, Shib, Yearn, Floki, and many other projects.<\/p>\n<p>Monahan&#8217;s comments were in response to a statement by Tim Ahl, founder of the <a href=\"https:\/\/forklog.com\/en\/news\/what-is-solana-sol\">Solana<\/a> aggregator Titan. He recounted interviewing a candidate at a previous job who later turned out to be a member of the <a href=\"https:\/\/forklog.com\/en\/news\/lazarus-group-what-we-know-about-the-outfit-suspected-of-the-bybit-hack\">Lazarus Group<\/a>.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cHe was extremely skilled and always joined video calls. But when we invited him for an in-person meeting, he refused to fly over \u2014 we rejected his application. Later, his name appeared in a Lazarus leak. It turned out that the group now has agents not from North Korea who personally gain trust,\u201d Ahl shared.<\/em><\/p>\n<\/blockquote>\n<p>The discussions arose amid a <a href=\"https:\/\/forklog.com\/en\/news\/drift-protocol-reveals-details-of-280-million-hack\">report by the Drift Protocol team<\/a>, which suffered a <a href=\"https:\/\/forklog.com\/en\/news\/drift-protocol-on-solana-loses-280m\">$280 million hack<\/a>. The developers claimed that North Korean hackers were behind the attack.<\/p>\n<h2 class=\"wp-block-heading\">Threat Assessment<\/h2>\n<p>Blockchain detective ZachXBT, who has repeatedly <a href=\"https:\/\/forklog.com\/en\/news\/user-hacks-north-korean-hacker\">highlighted<\/a> the threat posed by North Korea to the crypto industry, joined the discussion. According to him, Lazarus Group is a collective name for all \u201ccyber actors supported by North Korea.\u201d<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\">Lazarus Group is the collective name for all DPRK state sponsored cyber actors. <\/p>\n<p>The main issue is everyone groups them all together when the complexity of threats are different. <\/p>\n<p>Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way\u2026 <a href=\"https:\/\/t.co\/NL8Jck5edN\">pic.twitter.com\/NL8Jck5edN<\/a><\/p>\n<p>\u2014 ZachXBT (@zachxbt) <a href=\"https:\/\/twitter.com\/zachxbt\/status\/2040666565503524932?ref_src=twsrc%5Etfw\">April 5, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cThe main problem is that everyone groups them all together, although the complexity of threats is different,\u201d he noted.<\/em><\/p>\n<\/blockquote>\n<p>The specialist described job postings, LinkedIn, emails, Zoom, and interviews as \u201csimple and primitive\u201d schemes. The main weapon of the perpetrators is persistence. According to him, today it is quite easy to identify a fraudster.<\/p>\n<p>The only groups carrying out complex attacks remain TraderTraitor and AppleJeus.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-564038132ca2f55d-1067047169460877.webp\" alt=\"all attacks on crypto projects linked to North Korean hackers\" class=\"wp-image-278019\"\/><figcaption class=\"wp-element-caption\">All attacks on crypto projects linked to North Korean hackers. Source: <a href=\"https:\/\/x.com\/jussy_world\/status\/2040833023080632551\">X<\/a>. <\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\">Resources for Verification and Protection<\/h2>\n<p>The U.S. Treasury&#8217;s OFAC <a href=\"https:\/\/sanctionssearch.ofac.treas.gov\/\">maintains a special website<\/a> where crypto companies can check counterparties against current sanctions lists and receive warnings about typical fraud schemes by IT specialists.<\/p>\n<p>Taylor Monahan has also created a knowledge base on GitHub, where one can find research-based information on North Korea&#8217;s activities in the digital asset sphere.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/tayvano_?ref_src=twsrc%5Etfw\">@tayvano_<\/a> has built a good resource on GitHub that\u2019s a wealth of knowledge about DPRK using research collected from a variety of sources <a href=\"https:\/\/t.co\/C9ZoSNVjIU\">https:\/\/t.co\/C9ZoSNVjIU<\/a><\/p>\n<p>\u2014 ZachXBT (@zachxbt) <a href=\"https:\/\/twitter.com\/zachxbt\/status\/2040668255787065415?ref_src=twsrc%5Etfw\">April 5, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Back in March, the Lazarus Group was <a href=\"https:\/\/forklog.com\/en\/news\/lazarus-group-suspected-in-bitrefill-cyberattack\">suspected<\/a> of attacking the cryptocurrency online store Bitrefill.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean IT specialists have been integrating into DeFi projects for at least seven years, stated MetaMask developer Taylor Monahan.<\/p>\n","protected":false},"author":1,"featured_media":95936,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"North Korean IT specialists have been integrating into DeFi projects for at least seven years.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1202],"class_list":["post-95935","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-north-korea-dprk"],"aioseo_notices":[],"amp_enabled":true,"views":"19","promo_type":"1","layout_type":"1","short_excerpt":"North Korean IT specialists have been integrating into DeFi projects for at least seven years.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95935","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=95935"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95935\/revisions"}],"predecessor-version":[{"id":95937,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/95935\/revisions\/95937"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/95936"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=95935"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=95935"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=95935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}