North Korean IT specialists have been working for at least seven years on DeFi projects. This was stated by MetaMask developer Taylor Monahan.

Yuppppppp

Lots of DPRK IT Workers built the protocols you know and love, all the way back to defi summer

The “7 years blockchain dev experience” on their resume is not a lie. https://t.co/EQNgl5KhJ5

— Tay 💖 (@tayvano_) April 5, 2026

“Many IT workers have been creating protocols that you know and love since the 'DeFi summer.' Seven years of blockchain development experience on their resumes is not a lie,” she wrote.

Among the North Korean individuals mentioned, the expert highlighted projects such as SushiSwap, Thorchain, Fantom, Shib, Yearn, Floki, and many others.

Monahan's comments were in response to a statement from Tim Ahla, founder of the Solana aggregator Titan. He shared that during a previous job interview, he spoke with someone who later turned out to be a member of the Lazarus Group.

“He was extremely qualified and always appeared on video calls. But when we invited him for an in-person meeting, he refused to come — we rejected his application. Later, his name appeared in a Lazarus leak. It turned out that the group now has agents not from North Korea who are gaining trust personally,” Ahla shared.

The discussions intensified following a report from the Drift Protocol team, which suffered a $280 million hack. The developers claimed that the attack was carried out by North Korean hackers.

Threat Assessment

Blockchain detective ZachXBT joined the discussion, having previously pointed out the threat posed by North Korea to the crypto industry. According to him, the Lazarus Group is a collective term for all “state-sponsored cyber actors from North Korea.”

Lazarus Group is the collective name for all DPRK state sponsored cyber actors.

The main issue is everyone groups them all together when the complexity of threats are different.

Threats via job postings, LinkedIn, email, Zoom, or interviews are basic and in no way… pic.twitter.com/NL8Jck5edN

— ZachXBT (@zachxbt) April 5, 2026

“The main problem is that everyone groups them together, even though the complexity of the threats varies,” he noted.

The expert described job postings, LinkedIn, emails, Zoom, and interviews as “simple and primitive” schemes. The main weapon of the attackers is persistence. He stated that today, identifying a fraudster is relatively easy.

The only groups that carry out complex attacks are TraderTraitor and AppleJeus.

All attacks related to North Korean hackers target crypto projects. Source: X.

Resources for Verification and Protection

The U.S. Treasury Department's OFAC maintains a dedicated website where crypto companies can verify counterparties against current sanctions lists and receive alerts about common fraud schemes involving IT specialists.

Taylor Monahan also created a knowledge base on GitHub, which contains research-based information about North Korea's activities in the digital asset space.

@tayvano_ has built a good resource on GitHub that’s a wealth of knowledge about DPRK using research collected from a variety of sources https://t.co/C9ZoSNVjIU

— ZachXBT (@zachxbt) April 5, 2026

It’s worth noting that in March, the Lazarus group was suspected of attacking the cryptocurrency online store Bitrefill.