North Korea Used Fake Identities To Enter DeFi Companies

MetaMask security researcher Taylor Monahan dropped a bomb on the crypto industry: North Korean IT workers have been embedded inside decentralized finance projects for at least seven years. Monahan named more than 40 DeFi platforms, some very well-known, that have had North Korean developers contributing to their codebases at some point. The “seven years of blockchain dev experience” on their resumes, she said, “is not a lie.”

The Lazarus Group, North Korea’s state-sponsored hacking operation, has stolen an estimated $7 billion in crypto since 2017. The list of hits reads like a history of the industry’s worst days: $625 million from the Ronin Bridge in 2022, $235 million from WazirX in 2024, $1.4 billion from Bybit in 2025. And this week, Drift Protocol said with “medium-high confidence” that its $280 million exploit was carried out by a North Korean-affiliated group. Drift’s postmortem revealed something new: the face-to-face meetings that led to the exploit weren’t with North Korean nationals. They were with third-party intermediaries carrying fully constructed identities, including employment histories, public credentials, and professional networks. As one DeFi founder put it: “It seems Lazarus now has non-North Koreans working for them to con people in person.”

The Insider Attack Vector

Blockchain investigator ZachXBT pushed back on the idea that all of this is equally sophisticated. He pointed out that the job interview pipeline, fake LinkedIn profiles, Zoom calls, polished resumes, is “basic and in no way sophisticated. The only thing about it is they’re relentless.” His view: if your team is still falling for these in 2026, you’re negligent. The more dangerous operations, the ones that produce $280 million exploits, involve months of preparation, insider access, and infrastructure that is harder to detect and harder to attribute.

What makes this story different from a standard hack report is the scale of the infiltration. This is not a foreign adversary breaking into systems from the outside. This is a nation-state that has been placing its workers inside the companies building the financial infrastructure of the future, contributing real code, earning real trust, and then either extracting funds directly or laying the groundwork for someone else to do it later. Seven billion dollars over seven years, funded by the labor of developers who passed interviews, shipped features, and collected paychecks while working for Pyongyang.

Bitcoin Does Not Play This Game

But you know what North Korea can’t hack? Bitcoin.

Not because they have not tried, and not because they would not if they could. It is because Bitcoin does not give them the attack surface. There are no admin keys to compromise, no insiders who can quietly rewrite the rules, no smart contracts with hidden backdoors, no foundations or dev teams they can infiltrate and steer. You cannot socially engineer a protocol that does not rely on trust in the first place.

Every major “crypto” hack in this list shares the same pattern: complexity, centralization, and human discretion. Bridges, multisigs, upgradeable contracts, governance systems. All of them introduce points of failure, and North Korea has turned those into a business model. They do not break cryptography. They exploit people, permissions, and poorly designed systems.

Bitcoin strips that away. The rules are simple, globally enforced, and extremely difficult to change. Even if a malicious actor got hired at a Bitcoin company, it would not matter. They do not control the network. They cannot push an update that changes the monetary policy. They cannot drain wallets through a hidden function. The system does not trust them to begin with.
That is the real divide. This is not just about hacks, it is about architecture. One system assumes trust and keeps getting burned. The other assumes adversaries everywhere and keeps running anyway.

North Korea can infiltrate your team. They can sit in your Slack. They can write your code.

But they cannot rewrite Bitcoin.